Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4172030imm; Mon, 15 Oct 2018 10:11:45 -0700 (PDT) X-Google-Smtp-Source: ACcGV60NyBfcXUxOTJEcG/M4MoYDjDC1oDwvO4zps6JogttydS8qLoGt+dqv4osHR+X+CDtWv4u2 X-Received: by 2002:a63:d10b:: with SMTP id k11-v6mr16979362pgg.80.1539623505760; Mon, 15 Oct 2018 10:11:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539623505; cv=none; d=google.com; s=arc-20160816; b=NcikzdcQAis6KO7LTElkh93ICo+9olxifWT/7UhC2T2/BD1thdZC9xNOquH0SxY7S0 9S72GGJLQi5Yo/plPiIor18T5A0j8PxF/W6F/iGZhGxE/h5R1+uRZ4MnZSyojVeJ+Zf2 kUHcopi2ZQi2EiluVE3AF/wzjQbZN77UOWlCp48X4qUPjPXhRnZpElR1pv6cMi8JVvZa J+iuPM6GfJeQfpXZygsiKL4UsAVg8CSAJJNUKbubYJOvOKEncSAE4sHYTe3PflUXRiKH ZNkdY4vaM/g3zeHcVccYcTjnPOkmZe+MULpVo5mMs3KHcGorT3+u/o92mXg2jL/X6kFd IpiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=Di+nzK5StRcd7LdszbT02+EOQGR8pfp01/I7XRjWMZg=; b=UfxsfdM/VRA+0Mh/mu1N+D3kckkqeGHPUD7SCVgtGKIfyXgEjjzYIpMTmff0dHGNKr FdhfAJKTW7Ojl4Xde6fY3myeF475TYybNz4FIRSQoMS1m1Hvo4MabRa7Et7uN7/8+U3o c5SvUdu83aFh3vFcxLAaATcoAvBZYHlRH6oPRLy0mdbtFbLT0XilsgkhxMELDdWgAJ+F MfPF83MP5zKc1EFog3hETW8c4u7NJRtuYJcQPvU37Bi20wzBbl/iDSq0F6xFaCO6Jr55 YveofvYJUEhaH/uy7E7XPlCRp8TJVsNt8kd2FEpWJrCPguCsXMdPRhw0jse/He8nWqLz momg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=2jXAAsGT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o38-v6si11043589pgl.107.2018.10.15.10.11.29; Mon, 15 Oct 2018 10:11:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=2jXAAsGT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726907AbeJPA4s (ORCPT + 99 others); Mon, 15 Oct 2018 20:56:48 -0400 Received: from userp2130.oracle.com ([156.151.31.86]:58692 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726791AbeJPA4s (ORCPT ); Mon, 15 Oct 2018 20:56:48 -0400 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w9FH9Vmo188489; Mon, 15 Oct 2018 17:10:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2018-07-02; bh=Di+nzK5StRcd7LdszbT02+EOQGR8pfp01/I7XRjWMZg=; b=2jXAAsGTPu6xVI8u7fnt8dpnyyLn0TAk5LkLeAWpmzmgtc82c2O9t1J4a8sEa7EzUeuL waI5HCs6EFltwT9Gb1BLhfQw9cQYxQCQU+XQbxIdlIL1EhU+QUISKeOvjhw70iHVEFbx umiBAN3g1NgySmGzlFu9j1ewLuzzu5R05nAIS1s27enHYXtD7ofmk3zhw66H1TuJfkng kOZBx2nUWSiyitjC8sZRQFoDybO38047FePgyfC9JApuygaANv/TQvNPetlNXtWz4FBN oaEMiSqdoAKGw0VAZSrYnHRXPu8q9D5dZhQQU2gKslbdISyjzpnj+6ok0hugraYoB1Zt WQ== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp2130.oracle.com with ESMTP id 2n384tuww2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 15 Oct 2018 17:10:34 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w9FHAXEt011925 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 15 Oct 2018 17:10:33 GMT Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w9FHAWbh025759; Mon, 15 Oct 2018 17:10:33 GMT Received: from brm-x4170-02.us.oracle.com (/10.80.150.91) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 15 Oct 2018 10:10:32 -0700 From: nagarathnam.muthusamy@oracle.com To: linux-kernel@vger.kernel.org, ebiederm@xmission.com Cc: akpm@linux-foundation.org, serge.hallyn@ubuntu.com, oleg@redhat.com, prakash.sangappa@oracle.com, khlebnikov@yandex-team.ru, luto@amacapital.net, jannh@google.com, nagarathnam.muthusamy@oracle.com Subject: [RFC] Allow user namespace inside chroot Date: Mon, 15 Oct 2018 11:10:27 -0600 Message-Id: <1539623427-10789-1-git-send-email-nagarathnam.muthusamy@oracle.com> X-Mailer: git-send-email 1.8.3.1 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9047 signatures=668706 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=778 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810150150 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nagarathnam Muthusamy Following commit disables the creation of user namespace inside the chroot environment. userns: Don't allow creation if the user is chrooted commit 3151527ee007b73a0ebd296010f1c0454a919c7d Consider a system in which a non-root user creates a combination of user, pid and mount namespaces and confines a process to it. The system will have multiple levels of nested namespaces. The root namespace in the system will have lots of directories which should not be exposed to the child confined to the set of namespaces. Without chroot, we will have to hide all unwanted directories individually using bind mounts and mount namespace. Chroot enables us to expose a handpicked list of directories which the child can see but if we use chroot we wont be able to create nested namespaces. Allowing a process to create user namespace within a chroot environment will enable it to chroot, which in turn can be used to escape the jail. This patch drops the chroot privilege when user namespace is created within the chroot environment so the process cannot use it to escape the chroot jail. The process can still modify the view of the file system using mount namespace but for those modifications to be useful, it needs to run a setuid program with that intented uid directly mapped into the user namespace as it is which is not possible for an unprivileged process. If there were any other corner cases which were considered while deciding to disable the creation of user namespace as a whole within the chroot environment please let me know. Signed-off-by: Nagarathnam Muthusamy --- kernel/user_namespace.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index e5222b5..83d2a70 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -44,7 +44,7 @@ static void dec_user_namespaces(struct ucounts *ucounts) return dec_ucount(ucounts, UCOUNT_USER_NAMESPACES); } -static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) +static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns, int is_chrooted) { /* Start with the same capabilities as init but useless for doing * anything as the capabilities are bound to the new user namespace. @@ -55,6 +55,11 @@ static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) cred->cap_effective = CAP_FULL_SET; cred->cap_ambient = CAP_EMPTY_SET; cred->cap_bset = CAP_FULL_SET; + if (is_chrooted) { + cap_lower(cred->cap_permitted, CAP_SYS_CHROOT); + cap_lower(cred->cap_effective, CAP_SYS_CHROOT); + cap_lower(cred->cap_bset, CAP_SYS_CHROOT); + } #ifdef CONFIG_KEYS key_put(cred->request_key_auth); cred->request_key_auth = NULL; @@ -78,6 +83,7 @@ int create_user_ns(struct cred *new) kgid_t group = new->egid; struct ucounts *ucounts; int ret, i; + int is_chrooted = 0; ret = -ENOSPC; if (parent_ns->level > 32) @@ -88,14 +94,12 @@ int create_user_ns(struct cred *new) goto fail; /* - * Verify that we can not violate the policy of which files - * may be accessed that is specified by the root directory, - * by verifing that the root directory is at the root of the - * mount namespace which allows all files to be accessed. + * Drop the chroot privilege when a user namespace is created inside + * chrooted environment so that the file system view presented to a + * non-admin process is preserved. */ - ret = -EPERM; if (current_chrooted()) - goto fail_dec; + is_chrooted = 1; /* The creator needs a mapping in the parent user namespace * or else we won't be able to reasonably tell userspace who @@ -140,7 +144,7 @@ int create_user_ns(struct cred *new) if (!setup_userns_sysctls(ns)) goto fail_keyring; - set_cred_user_ns(new, ns); + set_cred_user_ns(new, ns, is_chrooted); return 0; fail_keyring: #ifdef CONFIG_PERSISTENT_KEYRINGS @@ -1281,7 +1285,7 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns) return -ENOMEM; put_user_ns(cred->user_ns); - set_cred_user_ns(cred, get_user_ns(user_ns)); + set_cred_user_ns(cred, get_user_ns(user_ns), 0); return commit_creds(cred); } -- 1.8.3.1