Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp816146lqb; Fri, 24 May 2024 14:27:29 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCU+pTKEqm3kb8IzVJaGIACxh/4W0kYgCIe375mLnQhqrPUmbiLJgodryF3xmvpHFwbumcdhAHcWycaMFzq/8I4Q7OaJwfb8qv7/dvkIKg== X-Google-Smtp-Source: AGHT+IFpeatdrtIxgoyrT0QPdwNU0lM54SlwB9EWjdKW5jojG1fszmV3YUxEkfWFbXwRehLXrNff X-Received: by 2002:a05:6a00:410f:b0:6f4:7297:7bd with SMTP id d2e1a72fcca58-6f8f41a96camr3704388b3a.28.1716586048832; Fri, 24 May 2024 14:27:28 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716586048; cv=pass; d=google.com; s=arc-20160816; b=uEeY0uEoGFU35cNI99E9h+dm9aNDga70z/GvHsoAiYUPN0a+1f6pKrtBTovbtItRbU /vqi32P6OdoO4oFFHuVIb16Fdxv9tzuzYkRbM/A3+A4sjLcvngPsc/E1LrK4wLvh2lxW YQ3Scgv6IQQiB49h621Ax+ba3VBpJv195WF23Nbx4JJerAv5WMnTbJK+meXS9/gYKaay 0sJaI3rxE5jtYJddiqELJ8P0iNvVZqw3ZMz8Xc32BtLxL2e0ohQFRT7ugb6Hy/8R0S45 J6hpLNnNe6YL2EMmkHDiRpIoYEcEFxYyy4gjTbLAcD9lDCgthoS1m4BajC6hbvOlX7YJ FrvQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-disposition:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:message-id:subject:to:from:date; bh=42et5NATCUuzc/6jxEC+ojAf//yJrHvLEbXQzAmbXac=; fh=7DdFW6zpAy4tBxzR2KjR6CJKv+CJcX+JT4NBMw7jQYY=; b=UwexvcaYWNLOso64SZiBFEbpFPReATgH8/YD16Xj94KHim/duQzGpGmvEF3JlLnzS8 t6vqY+MZlKDHBRq1OYx4C3d5Yq3O4INR+cllYVwgA2H77CEQyfyvik0yxLZyd8/ZdMim OKLVjOsskoZDfoRd/tK8utzMrprh23n8kGAZC0l8yD2tPaaJPHbnUQznH/jZ0Jc9begP cLzxSdp4gEayeQarUHgqmVEuBc2OuWPVj6zsFG+Vrrkr/rvtrZ4PaaP4x8sIkGrjGXDE ll2BCn1LHyj8xzn4GnWGD1fLIe7XeJ8wqMOAcUntzT2KhLRy8gn7e3uqG7YZpoxc4kEm wPJQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=mail.hallyn.com); spf=pass (google.com: domain of linux-kernel+bounces-189146-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189146-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id 41be03b00d2f7-68221b73e16si1815268a12.77.2024.05.24.14.27.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 May 2024 14:27:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-189146-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=mail.hallyn.com); spf=pass (google.com: domain of linux-kernel+bounces-189146-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189146-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id E3C5AB21CAE for ; Fri, 24 May 2024 21:26:55 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A206D8593E; Fri, 24 May 2024 21:26:49 +0000 (UTC) Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4D2983CBD for ; Fri, 24 May 2024 21:26:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.63.66.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716586009; cv=none; b=u9kRHbx4RIX6lTdd2rcf7+0DlaIzeCSzHMjmXhdbRVnsrdqYBkfJIeYBNKR1qPXoF0GpL+H0aA5rjUnFEDVS6lC/Vj7v2Y9rikAnbbT8V0OUXRhh8/HcXbxNamnD8xJw6HKTK0SuidPc+QarrVxqexqz6OY78TTpz+ahHOPbfr0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716586009; c=relaxed/simple; bh=Y9aA0Gsb5W36p00f5D+3pMCVJ0axlxd07C2qmHqIpYQ=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=XEkn665E2Q7h/PGSWRjT7Lfd0uQG7ycMzbjrdbXH5Lcxa9h82IcMjyRd0Z8nK4vqOX10PzaErYguEGxDEyURkxn9f/u+HXwlN5JmCWwam/Kml8HX/pjeB+pYdXqLeVlixLcef8X++5/jDCO5XxJF1uxlLUq9l7yD2ubK43J9zXM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hallyn.com; spf=pass smtp.mailfrom=mail.hallyn.com; arc=none smtp.client-ip=178.63.66.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hallyn.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mail.hallyn.com Received: by mail.hallyn.com (Postfix, from userid 1001) id 6ABA034F; Fri, 24 May 2024 16:26:38 -0500 (CDT) Date: Fri, 24 May 2024 16:26:38 -0500 From: "Serge E. Hallyn" To: lkml , Andy Lutomirski , "Eric W. Biederman" , Tycho Andersen Subject: [PATCH 1/1] user_namespace map_write: allow CAP_SETUID/CAP_SETGID Message-ID: <20240524212638.GA1898944@mail.hallyn.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Before 41c21e351e a task with CAP_SETUID could write to /proc/self/uid_map, or a task with CAP_SETGID to gid_map. 41c21e351e was an important fix in checking the capabilities against the opener of the file rather than the writer's namespace, but it erred in replacing CAP_SETXID with CAP_SYS_ADMIN. This means that a task with CAP_SETXID is no longer able to configure its user. The argument in the commit message that: Changing uid/gid/projid mappings doesn't change your id within the namespace; it reconfigures the namespace. is disputed: First, privilege was needed, the patch only switched the needed capabilitiy. Secondly, creating and configuring a new namespace while getting to choose uids from the parent namespace to bind into the child namespace is in fact akin to being able to setuid to the newly mapped uids. This patch fixes that regression. Since in the meantime a system may have started using CAP_SYS_ADMIN, support either now, to avoid regressing other programs. Signed-off-by: Serge Hallyn Cc: Andy Lutomirski Cc: "Eric W. Biederman" Fixes: 41c21e351e ("userns: Changing any namespace id mappings should require privileges") --- kernel/user_namespace.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 0b0b95418b16..8fbf1ef337bb 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -920,6 +920,17 @@ static bool verify_root_map(const struct file *file, return true; } +static inline bool map_write_allowed(struct file *file, struct user_namespace *map_ns, int cap_setid) +{ + // if the cap is -1, then anyone is allowed to write + if (!cap_valid(cap_setid)) + return true; + + // Otherwise, require either cap_setid or CAP_SYS_ADMIN + return (file_ns_capable(file, map_ns, cap_setid) || + file_ns_capable(file, map_ns, CAP_SYS_ADMIN)); +} + static ssize_t map_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos, int cap_setid, @@ -974,7 +985,7 @@ static ssize_t map_write(struct file *file, const char __user *buf, /* * Adjusting namespace settings requires capabilities on the target. */ - if (cap_valid(cap_setid) && !file_ns_capable(file, map_ns, CAP_SYS_ADMIN)) + if (!map_write_allowed(file, map_ns, cap_setid)) goto out; /* Parse the user data */ -- 2.34.1