Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755223AbaLHWQ0 (ORCPT ); Mon, 8 Dec 2014 17:16:26 -0500 Received: from mail-la0-f46.google.com ([209.85.215.46]:48942 "EHLO mail-la0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754018AbaLHWQV (ORCPT ); Mon, 8 Dec 2014 17:16:21 -0500 MIME-Version: 1.0 In-Reply-To: <87sigppzch.fsf_-_@x220.int.ebiederm.org> References: <52e0643bd47b1e5c65921d6e00aea1f724bb510a.1417281801.git.luto@amacapital.net> <87h9xez20g.fsf@x220.int.ebiederm.org> <87mw75ygwp.fsf@x220.int.ebiederm.org> <87fvcxyf28.fsf_-_@x220.int.ebiederm.org> <874mtdyexp.fsf_-_@x220.int.ebiederm.org> <87a935u3nj.fsf@x220.int.ebiederm.org> <87388xodlj.fsf@x220.int.ebiederm.org> <87h9x5re41.fsf_-_@x220.int.ebiederm.org> <87sigppzch.fsf_-_@x220.int.ebiederm.org> From: Andy Lutomirski Date: Mon, 8 Dec 2014 14:15:59 -0800 Message-ID: Subject: Re: [CFT][PATCH 5/7] userns: Only allow the creator of the userns unprivileged mappings To: "Eric W. Biederman" Cc: Linux Containers , Josh Triplett , Andrew Morton , Kees Cook , Michael Kerrisk-manpages , Linux API , linux-man , "linux-kernel@vger.kernel.org" , LSM , Casey Schaufler , "Serge E. Hallyn" , Richard Weinberger , Kenton Varda , stable Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 8, 2014 at 2:10 PM, Eric W. Biederman wrote: > > If you did not create the user namespace and are allowed > to write to uid_map or gid_map you should already have the necessary > privilege in the parent user namespace to establish any mapping > you want so this will not affect userspace in practice. > > Limiting unprivileged uid mapping establishment to the creator of the > user namespace reduces the set of credentials that must be verified > can be obtained without privielge, making code verification simpler. > s/privielge/privilege/ But I still can't parse that sentence. The code itself is: Reviewed-by: Andy Lutomirski > Limiting unprivileged gid mapping establishment (which is temporarily > absent) to the creator of the user namespace also ensures that the > combination of uid and gid can already be obtained without privilege. > > This is part of the fix for CVE-2014-8989. > > Cc: stable@vger.kernel.org > Signed-off-by: "Eric W. Biederman" > --- > kernel/user_namespace.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c > index da1eeb927b21..413f60fd5983 100644 > --- a/kernel/user_namespace.c > +++ b/kernel/user_namespace.c > @@ -812,14 +812,16 @@ static bool new_idmap_permitted(const struct file *file, > struct user_namespace *ns, int cap_setid, > struct uid_gid_map *new_map) > { > + const struct cred *cred = file->f_cred; > /* Don't allow mappings that would allow anything that wouldn't > * be allowed without the establishment of unprivileged mappings. > */ > - if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) { > + if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && > + uid_eq(ns->owner, cred->euid)) { > u32 id = new_map->extent[0].lower_first; > if (cap_setid == CAP_SETUID) { > kuid_t uid = make_kuid(ns->parent, id); > - if (uid_eq(uid, file->f_cred->euid)) > + if (uid_eq(uid, cred->euid)) > return true; > } > } > -- > 1.9.1 > -- Andy Lutomirski AMA Capital Management, LLC -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/