Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp2060646ybv; Fri, 14 Feb 2020 10:40:45 -0800 (PST) X-Google-Smtp-Source: APXvYqzdXnTs2vMA5NC/30Q0C0ZqlIRDAXOBoiuM1tW9mTSS1ld1BHRBYkRk5px6ndGm/ajZIJ2Z X-Received: by 2002:aca:ddc2:: with SMTP id u185mr2874758oig.24.1581705645358; Fri, 14 Feb 2020 10:40:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581705645; cv=none; d=google.com; s=arc-20160816; b=bxJdMu9mL1C5XQKSgNAWGCXM/VJQNxaKbXK280b5BT1kVwpSP2i5eIyuCiIsqmhcph 2YWvfVZxdfn5ppxzK6N22dKigy//C4aAo+N9xfB+bc78iGGIvcyq2bOpO6aE27V7/MG5 MzfJ9DRaaQanbGloqO7Jd1XQ+pdrv7vzqSCyIqk0iwZWIpr0LXfa8Jlz9Wmyp1YmIv7S KUKM7UNs3pkTY7voso2izsp4mqP/gwQGsLp0xIPnW4GP8RYb2VS2WzzbvdeQtpavEYu1 pDWsaOdFfQbdTm2LiA7XfX9w1pDysduAQVdmCO3A8HAjmprI9ZM2BLuD11Gv+wruMiOx 936A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=WiLnphnDGbiPaN/Wo0wHc8j0jfUgRJ47ZzBT1hgylPU=; b=BQE4sIpXSabXqrITTySlJp5w6AiWyQ9c+KJUm3/HrsnPCSs0IssY/vW39ODpXxt5YY jeod4pa6OtT3LMhRSJnzrEWrc+xT0MxtHTC11IU0wiSKU0tbBJg0UF9bn6f7ZKGXV5T0 QHxj0YlqUdBPcg3QPIAYm2umLmwCX3VWnm5nOlOoze1diI9QcCHaUCk2WTL+ICmZnj2x df+Thvl+y7nHfa/vbU5A8L+rWmS6pzGU9HmhRKbYDrpUoSs9YOCT6QAryfWH75+U3lzz D9nNmPrBGAQKDE6cQqjvocsz/ky8txfcyX7nir/OYW2ZwPxn44SzoW+4+NFwp1CDlIaU 5kPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z18si3254049otq.121.2020.02.14.10.40.32; Fri, 14 Feb 2020 10:40:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390806AbgBNSi6 (ORCPT + 99 others); Fri, 14 Feb 2020 13:38:58 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:33657 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730489AbgBNSiA (ORCPT ); Fri, 14 Feb 2020 13:38:00 -0500 Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j2fqO-0000uO-Jh; Fri, 14 Feb 2020 18:37:40 +0000 From: Christian Brauner To: =?UTF-8?q?St=C3=A9phane=20Graber?= , "Eric W. Biederman" , Aleksa Sarai , Jann Horn Cc: smbarber@chromium.org, Seth Forshee , Alexander Viro , Alexey Dobriyan , Serge Hallyn , James Morris , Kees Cook , Jonathan Corbet , Phil Estes , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, containers@lists.linux-foundation.org, linux-security-module@vger.kernel.org, linux-api@vger.kernel.org, Christian Brauner Subject: [PATCH v2 07/28] sys: __sys_setfsuid(): handle fsid mappings Date: Fri, 14 Feb 2020 19:35:33 +0100 Message-Id: <20200214183554.1133805-8-christian.brauner@ubuntu.com> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200214183554.1133805-1-christian.brauner@ubuntu.com> References: <20200214183554.1133805-1-christian.brauner@ubuntu.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Switch setfsuid() to lookup fsids in the fsid mappings. If no fsid mappings are setup the behavior is unchanged, i.e. fsids are looked up in the id mappings. A caller can only setfs{g,u}id() to a given id if the id maps to a valid kid in both the id and fsid maps of the caller's user namespace. This is always the case when no id mappings and fsid mappings have been written. It is also always the case when an id mapping has been written which includes the target id and but no fsid mappings have been written. All non-fsid mapping aware workloads will thus work just as before. Requiring a valid mapping for the target id in both the id and fsid mappings of the container simplifies permission checking for userns visible filesystems such as proc. Signed-off-by: Christian Brauner --- /* v2 */ - Christian Brauner : - Set unmapped fsid as well. --- kernel/sys.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index f9bc5c303e3f..13f790dbda71 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -59,6 +59,7 @@ #include #include #include +#include #include #include @@ -799,15 +800,19 @@ long __sys_setfsuid(uid_t uid) const struct cred *old; struct cred *new; uid_t old_fsuid; - kuid_t kuid; + kuid_t kuid, kfsuid; old = current_cred(); - old_fsuid = from_kuid_munged(old->user_ns, old->fsuid); + old_fsuid = from_kfsuid_munged(old->user_ns, old->fsuid); - kuid = make_kuid(old->user_ns, uid); + kuid = make_kfsuid(old->user_ns, uid); if (!uid_valid(kuid)) return old_fsuid; + kfsuid = make_kuid(old->user_ns, uid); + if (!uid_valid(kfsuid)) + return old_fsuid; + new = prepare_creds(); if (!new) return old_fsuid; @@ -817,6 +822,7 @@ long __sys_setfsuid(uid_t uid) ns_capable_setid(old->user_ns, CAP_SETUID)) { if (!uid_eq(kuid, old->fsuid)) { new->fsuid = kuid; + new->kfsuid = kfsuid; if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0) goto change_okay; } -- 2.25.0