Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp590123pxb; Wed, 3 Mar 2021 10:11:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJx9cLZzEAE3Sc5g5HF6+1Ab9bbjGQrLl90NVZCYuOVO+DUtBpYyQXZN3Zgug6hstFmgRk5y X-Received: by 2002:a17:907:168a:: with SMTP id hc10mr103950ejc.174.1614795071550; Wed, 03 Mar 2021 10:11:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614795071; cv=none; d=google.com; s=arc-20160816; b=arM/KiPC/dtp3s/n8V3yiL5D2UUUECfmBkjul0Mcd3T9h4akVLBuLWty8qvcb9Bq8W 1revh6ZUhHsvKEOF03YERDV2HQzuwUfaJ0eZNQD1kSqWYrYpzk8EmXQId519MPZZuJWK AZUmScV2HswFxrgB+L2zstnWbDCpRy9QA+f28CFJYy/Abcf6HyHl8Uwy9J/6aIQ5lZd5 nB3kDyMjYok65PXGQTd4+2dieeYuvHqhOZRRLvsN0jF9Z8zs7b0KwKlHFjinDwop3rJg Kbdmp4i9FZRVvtaGgISsCD4ZvSOKYvvh8ckODQYfdVQ/PEjX1v/EoFFH8XndTZz+Sy/r 1e+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=bCjoIr35f/E46m3JneUlLbvo3EpyFN1b37ixQf02US0=; b=0jbtf62rApk5D3eLA1+14J1oVQjK6KPlFhh0PvRlLGGedJgOJEzUoqXMFGYkvBGvfY VmbhiONc9z8s8qCBH3GVv6lZoN4qBatG4AAZViLpeJhrJjFZZZXkD5woYha0RXdH8aNe rEEiR9WIU5lMHqzVru7OXyJ9it6klFyRZhlZc7QxutBK6pD/EWNeVLTdavxkfty41Xmb Go/oA9d52+YlYH/4w5gER0B3ZRpIftwq6NkZYDVMeFti8ibsOnhtEwEsTdCBlVW37uZR j5FbBxnqq3dT57XL9YD00AJGop7/cDh4Nm5yMtgx2JSmjoPqV0VE6+jyAhN+hxdQUVgs WwYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vBcLeOyI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k9si15421749eje.398.2021.03.03.10.09.41; Wed, 03 Mar 2021 10:11:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vBcLeOyI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348367AbhCBBCE (ORCPT + 99 others); Mon, 1 Mar 2021 20:02:04 -0500 Received: from mail.kernel.org ([198.145.29.99]:55412 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240536AbhCASwS (ORCPT ); Mon, 1 Mar 2021 13:52:18 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2C8A265110; Mon, 1 Mar 2021 17:14:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614618899; bh=9CT/6GWs+LIlVXSEBxLxIkDqwBig9kw5n/SIXROj9jw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vBcLeOyIdIWU9qHKnusWf3bTw5mxoPu3y6bPlnRoOusGLKLIyZ/Bw4ZeB+dDi7UQq DDtPYqqWh3aVGcJC2vzP6AyABpXjYFzRPGpyEnqoK652EBvCEpRB/60njfjNENL7ef 5XveEtNhCELrj3m/Ms9lsbehZ3ZZrFSROGFT77jw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Andrew G. Morgan" , Serge Hallyn , "Eric W. Biederman" , Sasha Levin Subject: [PATCH 5.10 257/663] capabilities: Dont allow writing ambiguous v3 file capabilities Date: Mon, 1 Mar 2021 17:08:25 +0100 Message-Id: <20210301161154.541381356@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210301161141.760350206@linuxfoundation.org> References: <20210301161141.760350206@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric W. Biederman [ Upstream commit 95ebabde382c371572297915b104e55403674e73 ] The v3 file capabilities have a uid field that records the filesystem uid of the root user of the user namespace the file capabilities are valid in. When someone is silly enough to have the same underlying uid as the root uid of multiple nested containers a v3 filesystem capability can be ambiguous. In the spirit of don't do that then, forbid writing a v3 filesystem capability if it is ambiguous. Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") Reviewed-by: Andrew G. Morgan Reviewed-by: Serge Hallyn Signed-off-by: Eric W. Biederman Signed-off-by: Sasha Levin --- security/commoncap.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/security/commoncap.c b/security/commoncap.c index a6c9bb4441d54..b2a656947504d 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -500,7 +500,8 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) __u32 magic, nsmagic; struct inode *inode = d_backing_inode(dentry); struct user_namespace *task_ns = current_user_ns(), - *fs_ns = inode->i_sb->s_user_ns; + *fs_ns = inode->i_sb->s_user_ns, + *ancestor; kuid_t rootid; size_t newsize; @@ -523,6 +524,15 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size) if (nsrootid == -1) return -EINVAL; + /* + * Do not allow allow adding a v3 filesystem capability xattr + * if the rootid field is ambiguous. + */ + for (ancestor = task_ns->parent; ancestor; ancestor = ancestor->parent) { + if (from_kuid(ancestor, rootid) == 0) + return -EINVAL; + } + newsize = sizeof(struct vfs_ns_cap_data); nscap = kmalloc(newsize, GFP_ATOMIC); if (!nscap) -- 2.27.0