Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5928572ybv; Tue, 18 Feb 2020 06:38:57 -0800 (PST) X-Google-Smtp-Source: APXvYqxPOpiFCvdMdjdxxbFvByNN4Igl0eCWE6d/kB7HSG9W/GUXMfZrY8sX7ZNNV2s34k6wHjdS X-Received: by 2002:a05:6808:8d5:: with SMTP id k21mr1443138oij.121.1582036737756; Tue, 18 Feb 2020 06:38:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582036737; cv=none; d=google.com; s=arc-20160816; b=YN6jz8BFivYIDvbjtrtRz6tPsNup1D04zkzObz+WW3GYlnhDemHl3wEOXzND121B6u dMBIGbI+tUTF9qwQGimVT7xphBfuFryRveK67DT2J/8/MeUBE8b6VC3Wx/wxZHng6Kqu 4BURjuMMEeGAzPJ0VAYFPq5P66pZOajs6C7kdf/zuUVAAXlowRIi84Ftz/QREsgPb84M OBRHnhSd+7Euv62RJBI/FJszI3FPy3ZM0WGj6HiT34yoVzKzhHCnkh8j0CQg+P8ZCQ5K kjYS6tBVh5xMRYLNdl/BJ/cuUUikT3npwtRkHPkc6pXEs5WiC+zl2eu9TXnhoDMZIq2M kE8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=YvbXAwkwVF6X0i+FmxCSWlUGFhDmOpL1logezM2BH6c=; b=R3Nt0NKeXItZ+7ZfqVv63cXa+teaJpdH5hzO8auwn9FD2KTaiaA+n+c8ZqWNMJJvlw FNPKEjZF4HLsNjpwDxhbSi9QHBZnYzrJ/aIcnKfHYebWx7Hega67dKKV2t6/H9HE4I0q QCjm0M+wI0lV2hWsUZxUG/nuFbXM8FohnLl4gTFJfyKMRpeNQHx/4NbBU1sdlgpxsKan 3GTrY0+jzmNPm22/6mJWCvVxvL8yfPEg3vnndrMWLbFKTnQc3UOlaLlqg2kAXX1vfgUh MG8XlUIZogSzQw6b/1vFa0zy2Kum+OaMfullPG4gMTSbt3XjrQFkimP3HIwT67kf3Clk IaAw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j1si1842234otn.53.2020.02.18.06.38.44; Tue, 18 Feb 2020 06:38:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726980AbgBROif (ORCPT + 99 others); Tue, 18 Feb 2020 09:38:35 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:53250 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726821AbgBROif (ORCPT ); Tue, 18 Feb 2020 09:38:35 -0500 Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j43y8-0000fF-OS; Tue, 18 Feb 2020 14:35:24 +0000 From: Christian Brauner To: =?UTF-8?q?St=C3=A9phane=20Graber?= , "Eric W. Biederman" , Aleksa Sarai , Jann Horn Cc: smbarber@chromium.org, Seth Forshee , Alexander Viro , Alexey Dobriyan , Serge Hallyn , James Morris , Kees Cook , Jonathan Corbet , Phil Estes , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, containers@lists.linux-foundation.org, linux-security-module@vger.kernel.org, linux-api@vger.kernel.org, Christian Brauner Subject: [PATCH v3 20/25] exec: bprm_fill_uid(): handle fsid mappings Date: Tue, 18 Feb 2020 15:34:06 +0100 Message-Id: <20200218143411.2389182-21-christian.brauner@ubuntu.com> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200218143411.2389182-1-christian.brauner@ubuntu.com> References: <20200218143411.2389182-1-christian.brauner@ubuntu.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Make sure that during suid/sgid binary execution we lookup the fsids in the fsid mappings. If the kernel is compiled without fsid mappings or no fsid mappings are setup the behavior is unchanged. Assuming we have a binary in a given user namespace that is owned by 0:0 in the given user namespace which appears as 300000:300000 on-disk in the initial user namespace. Now assume we write an id mapping of 0 100000 100000 and an fsid mapping for 0 300000 300000 in the user namespace. When we hit bprm_fill_uid() during setid execution we will retrieve inode kuid=300000 and kgid=300000. We first check whether there's an fsid mapping for these kids. In our scenario we find that they map to fsuid=0 and fsgid=0 in the user namespace. Now we translate them into kids in the id mapping. In our example they translate to kuid=100000 and kgid=100000 which means the file will ultimately run as uid=0 and gid=0 in the user namespace and as uid=100000, gid=100000 in the initial user namespace. Let's alter the example and assume that there is an fsid mapping of 0 300000 300000 set up but no id mapping has been setup for the user namespace. In this the last step of translating into a valid kid pair in the id mappings will fail and we will behave as before and ignore the sid bits. Cc: Jann Horn Signed-off-by: Christian Brauner --- /* v2 */ patch added - Christian Brauner : - Make sure that bprm_fill_uid() handles fsid mappings. /* v3 */ - Christian Brauner : - Fix commit message. --- fs/exec.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index db17be51b112..9e4a7e757cef 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -62,6 +62,7 @@ #include #include #include +#include #include #include @@ -1518,8 +1519,8 @@ static void bprm_fill_uid(struct linux_binprm *bprm) { struct inode *inode; unsigned int mode; - kuid_t uid; - kgid_t gid; + kuid_t uid, euid; + kgid_t gid, egid; /* * Since this can be called multiple times (via prepare_binprm), @@ -1551,18 +1552,30 @@ static void bprm_fill_uid(struct linux_binprm *bprm) inode_unlock(inode); /* We ignore suid/sgid if there are no mappings for them in the ns */ - if (!kuid_has_mapping(bprm->cred->user_ns, uid) || - !kgid_has_mapping(bprm->cred->user_ns, gid)) + if (!kfsuid_has_mapping(bprm->cred->user_ns, uid) || + !kfsgid_has_mapping(bprm->cred->user_ns, gid)) return; + if (mode & S_ISUID) { + euid = kfsuid_to_kuid(bprm->cred->user_ns, uid); + if (!uid_valid(euid)) + return; + } + + if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { + egid = kfsgid_to_kgid(bprm->cred->user_ns, gid); + if (!gid_valid(egid)) + return; + } + if (mode & S_ISUID) { bprm->per_clear |= PER_CLEAR_ON_SETID; - bprm->cred->euid = uid; + bprm->cred->euid = euid; } if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { bprm->per_clear |= PER_CLEAR_ON_SETID; - bprm->cred->egid = gid; + bprm->cred->egid = egid; } } -- 2.25.0