Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3199254imm; Sun, 29 Jul 2018 12:39:34 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeQwmfObeJJHjWOwY/oIuwqBIuP3FOZURVmbb6Y6H9uNImZBLWlgKimkS3MdyOk7cKz16fw X-Received: by 2002:a63:2dc1:: with SMTP id t184-v6mr13706573pgt.62.1532893174666; Sun, 29 Jul 2018 12:39:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532893174; cv=none; d=google.com; s=arc-20160816; b=mJJKP0io3QPe8BmznuLOHBl+u2exTz4n+PPB4GuPN7WbYYiZxGKy0iqXh9eT/AUuIE hdToXaEfMlizchH+pusIcocGdhl1+iOrWGrVVaplE5oQQSAgcYkPyyF8TUwpUkR1iqWB rXvxzUroU5drcMORTUwoQTsWrpOg3GmuRsopfa5wUjKv6nddZQ5QBKCkYDFIWSxbxXoR a93WIM8cRz0l/lKlkGEZqkqlU61jJKXU7ZrAV17v4J0z8S/UBLYUMW7MqSKTM3SeEO00 qh5O6mCNsFhaRFSLeXk+2iQvz/qAwDg1fa/qKykRIoejQbSQRujxyc+kfiod6YtDzh9S ASdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=JT7zd3AmksLuk08DZdDn93fty6525TTv0Ac71ABLDSQ=; b=us4GZP2LHJpZRBmrrTYQuCuRCHvYwtIvLlNs6jOKFBz0xdR26xFFvpYYsu637g43me uOtA5hCXISlqP89altb76ksbyakZsLiUNhe6J10zZGoWQFkZd6gACFgBGAuSK+dVOEe3 02esJPZ+oUi+xbvg4cWCu6qQWL4szQH21H982zRlzA2pi4KsHeUevVSYE4mOF/q6I8AL 6h9Ah1Bri3SGJfQ/+Z32PZ9qjQVrOw3CAtdfxKLgF5y4XgIG4L6EkEXqTEC1QFd9gSER ztzZOihhuFD6IitLbyXC1NVAiZ3x/wmgj4/HW5LVjoPUFtpKKyCIQw4bvNZ76mEU//wv y+OA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LPS+bAVa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j185-v6si9273505pgc.419.2018.07.29.12.39.20; Sun, 29 Jul 2018 12:39:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LPS+bAVa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729198AbeG2VIe (ORCPT + 99 others); Sun, 29 Jul 2018 17:08:34 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:44711 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728934AbeG2VId (ORCPT ); Sun, 29 Jul 2018 17:08:33 -0400 Received: by mail-pg1-f194.google.com with SMTP id r1-v6so6026874pgp.11 for ; Sun, 29 Jul 2018 12:37:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=JT7zd3AmksLuk08DZdDn93fty6525TTv0Ac71ABLDSQ=; b=LPS+bAVaeWhTS4mjz/MUJuFiWL6VpEC2M6p/73JbtlCjiRt73vxR96jAt61qYw409p lF/JZ4Y8SzI9dvCE3BQ8UhSTe057GOZh+DUonNZwC09nW3MeA5vwVz1dcuZoh/gRjygr WR6UqW38gdmj4Zv/svOBMPGyMJYACUChlVRqkeBBtKuU5z98F5jytcotAqMXZ7qOg90n ozOpHE3A4NmQWrnztAZJ/D6oGRUyxUNuyXUZ8pG7KRU9CSNh/uzZrpj/cYl9ANmNhwlP U0IjvBsmpMwsxHWlHRsZbvaeGg9GQdZTLi/fW5Nvb0Aj9uwj7kdG8JOVx15R6G+R8WAj pG4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=JT7zd3AmksLuk08DZdDn93fty6525TTv0Ac71ABLDSQ=; b=kMCyurlevRg85nJdnKiOLg7tU1+Ubh50Kn8uumwosx4lP0zObszdMIlTpEB7/mFSj2 M3XzHVIe88vwmQyUDae0s9DGWb9JZbafVlGkul8TrgWS6zM/rej5ws8b/kUagUFsW7Q1 xRVSHVBVNiypPaJf+Xzhjc6JZjcYV9qrzK2EujDOO1TEPT6C5eyTlD2kyjU+CcQj73br UeshPK5LVGrV0FvkMw0rrNfYjGsaDoJjGJPnSXTLa8JavqMqR5CIGBlTXNAKqlOE0RMH aBoO0ib7R52d/aN8NNJGNbAx7Px+oiMfdaNa7qC5bPKpoqsigbnOhKXyzD9bfJxJEJ5a +OAA== X-Gm-Message-State: AOUpUlE1xllq7S6JoW6e1BGX6Any6YcjOJyVo5q1ikwN463vRfhjbtbJ rZzKQT1ji7BcFfnT0Ccz6I0= X-Received: by 2002:a63:e001:: with SMTP id e1-v6mr13664682pgh.380.1532893021866; Sun, 29 Jul 2018 12:37:01 -0700 (PDT) Received: from toddpoynor2.mtv.corp.google.com ([2620:0:1000:3701:7d29:cd13:d903:7908]) by smtp.gmail.com with ESMTPSA id k26-v6sm27474062pfb.167.2018.07.29.12.37.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 29 Jul 2018 12:37:01 -0700 (PDT) From: Todd Poynor To: Rob Springer , John Joseph , Ben Chan , Greg Kroah-Hartman Cc: devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, Dmitry Torokhov , Todd Poynor Subject: [PATCH 04/13] staging: gasket: core: allow root access based on user namespace Date: Sun, 29 Jul 2018 12:36:37 -0700 Message-Id: <20180729193646.201721-5-toddpoynor@gmail.com> X-Mailer: git-send-email 2.18.0.345.g5c9ce644c3-goog In-Reply-To: <20180729193646.201721-1-toddpoynor@gmail.com> References: <20180729193646.201721-1-toddpoynor@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Todd Poynor Use user namespace to determine whether gasket device file opener is root, allowing root access to containers, if necessary. Reported-by: Dmitry Torokhov Signed-off-by: Todd Poynor --- drivers/staging/gasket/gasket_core.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/staging/gasket/gasket_core.c b/drivers/staging/gasket/gasket_core.c index b832a4f529f27..291cd6d074a2e 100644 --- a/drivers/staging/gasket/gasket_core.c +++ b/drivers/staging/gasket/gasket_core.c @@ -13,13 +13,16 @@ #include "gasket_page_table.h" #include "gasket_sysfs.h" +#include #include #include #include #include #include #include +#include #include +#include #ifdef GASKET_KERNEL_TRACE_SUPPORT #define CREATE_TRACE_POINTS @@ -1064,7 +1067,8 @@ static int gasket_open(struct inode *inode, struct file *filp) char task_name[TASK_COMM_LEN]; struct gasket_cdev_info *dev_info = container_of(inode->i_cdev, struct gasket_cdev_info, cdev); - int is_root = capable(CAP_SYS_ADMIN); + struct pid_namespace *pid_ns = task_active_pid_ns(current); + int is_root = ns_capable(pid_ns->user_ns, CAP_SYS_ADMIN); gasket_dev = dev_info->gasket_dev_ptr; driver_desc = gasket_dev->internal_desc->driver_desc; @@ -1147,6 +1151,8 @@ static int gasket_release(struct inode *inode, struct file *file) char task_name[TASK_COMM_LEN]; struct gasket_cdev_info *dev_info = container_of(inode->i_cdev, struct gasket_cdev_info, cdev); + struct pid_namespace *pid_ns = task_active_pid_ns(current); + int is_root = ns_capable(pid_ns->user_ns, CAP_SYS_ADMIN); gasket_dev = dev_info->gasket_dev_ptr; driver_desc = gasket_dev->internal_desc->driver_desc; @@ -1158,7 +1164,7 @@ static int gasket_release(struct inode *inode, struct file *file) "Releasing device node. Call origin: tgid %u (%s) " "(f_mode: 0%03o, fmode_write: %d, is_root: %u)\n", current->tgid, task_name, file->f_mode, - (file->f_mode & FMODE_WRITE), capable(CAP_SYS_ADMIN)); + (file->f_mode & FMODE_WRITE), is_root); dev_dbg(gasket_dev->dev, "Current open count (owning tgid %u): %d\n", ownership->owner, ownership->write_open_count); -- 2.18.0.345.g5c9ce644c3-goog