Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp2058718ybv; Fri, 14 Feb 2020 10:38:32 -0800 (PST) X-Google-Smtp-Source: APXvYqyia44r2KrDLxdggBOSYNFlMe35BlPnbdKLYoR0izICzTYk1juol5lO4B0YdapMw5uZzdYP X-Received: by 2002:a05:6830:12d5:: with SMTP id a21mr3453926otq.296.1581705512702; Fri, 14 Feb 2020 10:38:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581705512; cv=none; d=google.com; s=arc-20160816; b=w9bMK+2rUL03MdTET5OcotaobvwT6IHemC8houzB0Gx8jtmRowOBGv/h+JsTPhpzB8 mQ30YFek4X/ccNTFYhVnuWpJULs0ckOwIG4zMcxCQvFCbcMSCX6dRHlVu5bR7R2Ugcol oyfiW+uL/YRo1/kLr4gCpxyLqsAKZxLAwbHK9wM/aGfIpytwMC+kOzKg122b0+cRf8fe M2EnVvnh66HqEhjd8UMFCjPiPSDJgPePlhwrH08I17S0+UI7+ELqLm51wh6jDFkZPuWP 0Lxi/RFCMtOPuBJZzKE6Z4II/UGUyfHMXMA+LmSsq+YmmEZve2UFyv7LFrDJUMOhZLNL fP7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=9/Uc5rvbyPboi8eYjLZRQjImrruaYsnM2FPm1X/1PyQ=; b=p6oyShBFZXEUM2smnQ7ZgkzhAtIdO5Pn/vxCX8LSaMuGU1x5eBBBYQU9eikLecFUjE 14Ss9OJJcmxsNR3ca1shKItSIJveuXRfHKsjU5qywaqF+Zl205S5eUClU+nR7B7sKF5C HXHjrlnQsMi7NdR52BkPjuMjVSxi21pev/9QFS2yxTyUICDIffKfCGdlLUeTZxE3u1VF vRXm3IHjvPb+OwtsaWvYFx0bycY7DbxK0d97c3kV55YSy1tUPmniXktnnYOwi15mmFX0 TSawFnL/WRwLegB9tOK3RyxZc3UqWa2CmQ4ywa2gcheh6EFlCzSbv6PoawjLyFrMcZQk X0ZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o13si3280750otp.27.2020.02.14.10.38.20; Fri, 14 Feb 2020 10:38:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389404AbgBNSiF (ORCPT + 99 others); Fri, 14 Feb 2020 13:38:05 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:33694 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730663AbgBNSiE (ORCPT ); Fri, 14 Feb 2020 13:38:04 -0500 Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j2fqS-0000uO-Te; Fri, 14 Feb 2020 18:37:45 +0000 From: Christian Brauner To: =?UTF-8?q?St=C3=A9phane=20Graber?= , "Eric W. Biederman" , Aleksa Sarai , Jann Horn Cc: smbarber@chromium.org, Seth Forshee , Alexander Viro , Alexey Dobriyan , Serge Hallyn , James Morris , Kees Cook , Jonathan Corbet , Phil Estes , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, containers@lists.linux-foundation.org, linux-security-module@vger.kernel.org, linux-api@vger.kernel.org, Christian Brauner Subject: [PATCH v2 11/28] sys:__sys_setreuid(): handle fsid mappings Date: Fri, 14 Feb 2020 19:35:37 +0100 Message-Id: <20200214183554.1133805-12-christian.brauner@ubuntu.com> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200214183554.1133805-1-christian.brauner@ubuntu.com> References: <20200214183554.1133805-1-christian.brauner@ubuntu.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Switch setreuid() to lookup fsids in the fsid mappings. If no fsid mappings are setup the behavior is unchanged, i.e. fsids are looked up in the id mappings. During setreuid() the kfsuid is set to the keuid corresponding the euid that is requested by userspace. If the requested euid is -1 the kfsuid is reset to the current keuid. For the latter case this means we need to lookup the corresponding userspace euid corresponding to the current keuid in the id mappings and translate this euid into the corresponding kfsuid in the fsid mappings. The kfsid to cleanly handle userns visible filesystem is set as before. We require that a user must have a valid fsid mapping for the target id. This is consistent with how the setid calls work today without fsid mappings. Signed-off-by: Christian Brauner --- /* v2 */ - Christian Brauner : - set kfsid which is used when dealing with proc permission checking --- kernel/sys.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index aa379fb5e93b..4697e010bbd7 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -504,7 +504,7 @@ long __sys_setreuid(uid_t ruid, uid_t euid) const struct cred *old; struct cred *new; int retval; - kuid_t kruid, keuid; + kuid_t kruid, keuid, kfsuid; kruid = make_kuid(ns, ruid); keuid = make_kuid(ns, euid); @@ -535,6 +535,13 @@ long __sys_setreuid(uid_t ruid, uid_t euid) !uid_eq(old->suid, keuid) && !ns_capable_setid(old->user_ns, CAP_SETUID)) goto error; + kfsuid = make_kfsuid(new->user_ns, euid); + } else { + kfsuid = kuid_to_kfsuid(new->user_ns, new->euid); + } + if (!uid_valid(kfsuid)) { + retval = -EINVAL; + goto error; } if (!uid_eq(new->uid, old->uid)) { @@ -545,7 +552,8 @@ long __sys_setreuid(uid_t ruid, uid_t euid) if (ruid != (uid_t) -1 || (euid != (uid_t) -1 && !uid_eq(keuid, old->uid))) new->suid = new->euid; - new->fsuid = new->euid; + new->kfsuid = new->euid; + new->fsuid = kfsuid; retval = security_task_fix_setuid(new, old, LSM_SETID_RE); if (retval < 0) -- 2.25.0