Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp395111pxb; Wed, 3 Mar 2021 06:07:41 -0800 (PST) X-Google-Smtp-Source: ABdhPJzqVAZJDFZyyJq8Vi7ioZuDsM0g/oZ6a3L8lCCoQZ+ye0CPG9sXi1VzmT5JO/9k14fTufAv X-Received: by 2002:a17:906:8614:: with SMTP id o20mr24941009ejx.386.1614780461621; Wed, 03 Mar 2021 06:07:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614780461; cv=none; d=google.com; s=arc-20160816; b=BgAOkjcyfUkdoaixNizIWMa4nYTK5ptgEskzmcVkDphzhywy3pSd+JyjHjNRz8CP/h DopBkTOTtnuEsHaVsQdAgJguRh/iL05fKbZ3+DfcdJswLOUEy/w22eJQOMsJMtrfYUjn fKqW6pYd6ZMZecHX8kK7jTWBmFONgCFtC+cyA4GfxRfLrk5bKJu7Ny7TtZxE7hPu+wPq w2fA74C9RHsEuS3QvwUB3FKGD6EpXqlUAA8Q1ozE2dTw4NaR0JqoVRVQSGgXjSR9vdsw zp9Qymu0vEGJbxZxM6d8hWi+5KbUFePZZVXoR1dn0fFS9NFkpRiSRvOAydIyAxsSKDdR 8jnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=H7ETi3HSyaahTbvzfwR+C8ef0nlOWdpu1fzoSRfkbbw=; b=qaImMFVBN5+QDOm8eKrpsqBGoXRPieyoNVronOeHHJjqwKxfwWIwKEV8z52Wn9o0b4 ozo5xNXGvSgztOtZR9MxIic1wiHc7v4WMVDfEgb5T8szV+II9CEP1OWQydKNL/c67ElF AcrCSGOhcWgyeC+RGgGpo35WAlk8osHXq+WJhXc7egAGGMB+BGjKAhji5KE3zS9cCBwH NLeztHdNpX/SsM+Mx77vt9vDYeTZqfpujhQRv2rMhzaKlYDgMPYutnKjOnuIUTK9jjcT D8z60sSXngZBRxIBHl0Rq/504FU+DloCwWbR8a63pFpTkRv9NL3aU+H3YP+cwjT7vYaO B0cQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="IHJo/kPf"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d1si1514589ejz.282.2021.03.03.06.07.01; Wed, 03 Mar 2021 06:07:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="IHJo/kPf"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243439AbhCAU2q (ORCPT + 99 others); Mon, 1 Mar 2021 15:28:46 -0500 Received: from mail.kernel.org ([198.145.29.99]:35320 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237040AbhCARGm (ORCPT ); Mon, 1 Mar 2021 12:06:42 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2656765003; Mon, 1 Mar 2021 16:40:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614616818; bh=ltdpY4LWVDf9EMfpfnnWMcbiQVjiZaLFlIO8Gy97wm8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IHJo/kPfVftgH+RKBj0G2R3R3fv5nwqE9Kw1DVDXnY69weUkLGv9s3mdZOsNP+FW5 U6X9hQ4Jo38+ysOAO+Unl9N5bYcH/CA815aGFTB1KaDEK9OEALjIert3+hgFqFnrKO 5mcjbg+yyVQ9Sj9VmclOI7wMWsEPcA8LexwseTwA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Andrew G. Morgan" , Serge Hallyn , "Eric W. Biederman" , Sasha Levin Subject: [PATCH 4.19 107/247] capabilities: Dont allow writing ambiguous v3 file capabilities Date: Mon, 1 Mar 2021 17:12:07 +0100 Message-Id: <20210301161036.911248720@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210301161031.684018251@linuxfoundation.org> References: <20210301161031.684018251@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric W. Biederman [ Upstream commit 95ebabde382c371572297915b104e55403674e73 ] The v3 file capabilities have a uid field that records the filesystem uid of the root user of the user namespace the file capabilities are valid in. When someone is silly enough to have the same underlying uid as the root uid of multiple nested containers a v3 filesystem capability can be ambiguous. In the spirit of don't do that then, forbid writing a v3 filesystem capability if it is ambiguous. Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") Reviewed-by: Andrew G. Morgan Reviewed-by: Serge Hallyn Signed-off-by: Eric W. Biederman Signed-off-by: Sasha Levin --- security/commoncap.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/security/commoncap.c b/security/commoncap.c index a1dee0ab345a2..1bc40e78fa7ff 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -506,7 +506,8 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) __u32 magic, nsmagic; struct inode *inode = d_backing_inode(dentry); struct user_namespace *task_ns = current_user_ns(), - *fs_ns = inode->i_sb->s_user_ns; + *fs_ns = inode->i_sb->s_user_ns, + *ancestor; kuid_t rootid; size_t newsize; @@ -529,6 +530,15 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) if (nsrootid == -1) return -EINVAL; + /* + * Do not allow allow adding a v3 filesystem capability xattr + * if the rootid field is ambiguous. + */ + for (ancestor = task_ns->parent; ancestor; ancestor = ancestor->parent) { + if (from_kuid(ancestor, rootid) == 0) + return -EINVAL; + } + newsize = sizeof(struct vfs_ns_cap_data); nscap = kmalloc(newsize, GFP_ATOMIC); if (!nscap) -- 2.27.0