Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp2061334ybv;
        Fri, 14 Feb 2020 10:41:32 -0800 (PST)
X-Google-Smtp-Source: APXvYqy7T6JNp6bxDuH/SuIc1Vj+TG8BUJJZ9otowBeja3Dap7uhLII7av4q36uobhRkPXFuigk7
X-Received: by 2002:a05:6808:350:: with SMTP id j16mr2748840oie.168.1581705691932;
        Fri, 14 Feb 2020 10:41:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581705691; cv=none;
        d=google.com; s=arc-20160816;
        b=tO3OJe6kbANi84tTnNN8v69HoIhRuJTlSEnTbsd3qT5dMzTLsvBA2Fzw1c51GL70UX
         Iw0E9H0VWLgxOPA18K36vp73g8agKapOvzj2ABoN3cPWzYse9plLgAV3UeJMfvlAQMel
         cRXQFw9ByEMfQixDQCLIxIzeJnONlZLelROs1hKNA/jWkrNN5kzejJ3RAco0lUiXMynl
         02SZ9b66EKmhcCG57Ogi17VM52WIv5l8u8/n91HJLvc0CAem4AWlARYOrVe8MlnERP9v
         u6NTOqWpMLL2M1Um0qPrSVs/h4Ga8uu7yWX2FcemrQoZj0dLiw26/grEjOGAat2BB83/
         I6eA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=VYMMTEMq5vE8I3ERFwAYYb9nlrzzyNLHnYHNKKAul5Y=;
        b=JJEBpyqlpX1AYzTJoZscphLzOHSuZdutXBFhBCgEDoNBjaoDQ00tQGqh96yG5qSjy4
         WzEgxAgAsfEYTNihkBN4qPRzpFZiR8mZNYVTMduWO6GzSsWYGQQUGTSLlMzDJ8QZNNbE
         /Sv+ZE4B+wlL2RVlq/mnkoAwcN3S6EM6pCbBuhWPOmvI4Fkl42jTytMGG7OEFVekaU0X
         P4QUMhoEqH8B6T8ZdyFE+Za8ZIWCoJqV2Ir52SseHfkp75f26pYoWeydz3WkPvLM0vVS
         aic4MHcjJkN3Dm9cHKkcTAAjr0kxIptomeB9vkod9JYyD84EOtF2Z4ek4hpjjy1zUDrj
         ncGw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h18si3012062otr.265.2020.02.14.10.41.19;
        Fri, 14 Feb 2020 10:41:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730801AbgBNSkY (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Fri, 14 Feb 2020 13:40:24 -0500
Received: from youngberry.canonical.com ([91.189.89.112]:33818 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729781AbgBNSkX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Feb 2020 13:40:23 -0500
Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein.fritz.box)
        by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.86_2)
        (envelope-from <christian.brauner@ubuntu.com>)
        id 1j2fql-0000uO-JW; Fri, 14 Feb 2020 18:38:03 +0000
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Aleksa Sarai <cyphar@cyphar.com>, Jann Horn <jannh@google.com>
Cc:     smbarber@chromium.org, Seth Forshee <seth.forshee@canonical.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        Serge Hallyn <serge@hallyn.com>,
        James Morris <jmorris@namei.org>,
        Kees Cook <keescook@chromium.org>,
        Jonathan Corbet <corbet@lwn.net>,
        Phil Estes <estesp@gmail.com>, linux-kernel@vger.kernel.org,
        linux-fsdevel@vger.kernel.org,
        containers@lists.linux-foundation.org,
        linux-security-module@vger.kernel.org, linux-api@vger.kernel.org,
        Christian Brauner <christian.brauner@ubuntu.com>
Subject: [PATCH v2 24/28] commoncap: cap_task_fix_setuid(): handle fsid mappings
Date:   Fri, 14 Feb 2020 19:35:50 +0100
Message-Id: <20200214183554.1133805-25-christian.brauner@ubuntu.com>
X-Mailer: git-send-email 2.25.0
In-Reply-To: <20200214183554.1133805-1-christian.brauner@ubuntu.com>
References: <20200214183554.1133805-1-christian.brauner@ubuntu.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Switch cap_task_fix_setuid() to lookup fsids in the fsid mappings. If no fsid
mappings are setup the behavior is unchanged, i.e. fsids are looked up in the
id mappings.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
/* v2 */
unchanged
---
 security/commoncap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 9641695d8383..0581c6aa8bdc 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -24,6 +24,7 @@
 #include <linux/user_namespace.h>
 #include <linux/binfmts.h>
 #include <linux/personality.h>
+#include <linux/fsuidgid.h>
 
 /*
  * If a non-root user executes a setuid-root binary in
@@ -1061,7 +1062,7 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
 		 *          if not, we might be a bit too harsh here.
 		 */
 		if (!issecure(SECURE_NO_SETUID_FIXUP)) {
-			kuid_t root_uid = make_kuid(old->user_ns, 0);
+			kuid_t root_uid = make_kfsuid(old->user_ns, 0);
 			if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
 				new->cap_effective =
 					cap_drop_fs_set(new->cap_effective);
-- 
2.25.0