Home » Mailing lists » Devel » userns: targeted capabilities v5
[PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c [message #41750 is a reply to message #41743] |
Thu, 17 February 2011 15:03 ![Go to previous message Go to previous message](/theme/ovz3/images/up.png) ![Go to next message Go to previous message](/theme/ovz3/images/down.png) |
serge
Messages: 72 Registered: January 2007
|
Member |
|
|
This allows setuid/setgid in containers. It also fixes some
corner cases where kernel logic foregoes capability checks when
uids are equivalent. The latter will need to be done throughout
the whole kernel.
Changelog:
Jan 11: Use nsown_capable() as suggested by Bastian Blank.
Jan 11: Fix logic errors in uid checks pointed out by Bastian.
Feb 15: allow prlimit to current (was regression in previous version)
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
---
kernel/sys.c | 74 ++++++++++++++++++++++++++++++++++++---------------------
1 files changed, 47 insertions(+), 27 deletions(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index 7a1bbad..075370d 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -118,17 +118,29 @@ EXPORT_SYMBOL(cad_pid);
void (*pm_power_off_prepare)(void);
+/* called with rcu_read_lock, creds are safe */
+static inline int set_one_prio_perm(struct task_struct *p)
+{
+ const struct cred *cred = current_cred(), *pcred = __task_cred(p);
+
+ if (pcred->user->user_ns == cred->user->user_ns &&
+ (pcred->uid == cred->euid ||
+ pcred->euid == cred->euid))
+ return 1;
+ if (ns_capable(pcred->user->user_ns, CAP_SYS_NICE))
+ return 1;
+ return 0;
+}
+
/*
* set the priority of a task
* - the caller must hold the RCU read lock
*/
static int set_one_prio(struct task_struct *p, int niceval, int error)
{
- const struct cred *cred = current_cred(), *pcred = __task_cred(p);
int no_nice;
- if (pcred->uid != cred->euid &&
- pcred->euid != cred->euid && !capable(CAP_SYS_NICE)) {
+ if (!set_one_prio_perm(p)) {
error = -EPERM;
goto out;
}
@@ -502,7 +514,7 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
if (rgid != (gid_t) -1) {
if (old->gid == rgid ||
old->egid == rgid ||
- capable(CAP_SETGID))
+ nsown_capable(CAP_SETGID))
new->gid = rgid;
else
goto error;
@@ -511,7 +523,7 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
if (old->gid == egid ||
old->egid == egid ||
old->sgid == egid ||
- capable(CAP_SETGID))
+ nsown_capable(CAP_SETGID))
new->egid = egid;
else
goto error;
@@ -546,7 +558,7 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
old = current_cred();
retval = -EPERM;
- if (capable(CAP_SETGID))
+ if (nsown_capable(CAP_SETGID))
new->gid = new->egid = new->sgid = new->fsgid = gid;
else if (gid == old->gid || gid == old->sgid)
new->egid = new->fsgid = gid;
@@ -613,7 +625,7 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
new->uid = ruid;
if (old->uid != ruid &&
old->euid != ruid &&
- !capable(CAP_SETUID))
+ !nsown_capable(CAP_SETUID))
goto error;
}
@@ -622,7 +634,7 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
if (old->uid != euid &&
old->euid != euid &&
old->suid != euid &&
- !capable(CAP_SETUID))
+ !nsown_capable(CAP_SETUID))
goto error;
}
@@ -670,7 +682,7 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
old = current_cred();
retval = -EPERM;
- if (capable(CAP_SETUID)) {
+ if (nsown_capable(CAP_SETUID)) {
new->suid = new->uid = uid;
if (uid != old->uid) {
retval = set_user(new);
@@ -712,7 +724,7 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
old = current_cred();
retval = -EPERM;
- if (!capable(CAP_SETUID)) {
+ if (!nsown_capable(CAP_SETUID)) {
if (ruid != (uid_t) -1 && ruid != old->uid &&
ruid != old->euid && ruid != old->suid)
goto error;
@@ -776,7 +788,7 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
old = current_cred();
retval = -EPERM;
- if (!capable(CAP_SETGID)) {
+ if (!nsown_capable(CAP_SETGID)) {
if (rgid != (gid_t) -1 && rgid != old->gid &&
rgid != old->egid && rgid != old->sgid)
goto error;
@@ -836,7 +848,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
if (uid == old->uid || uid == old->euid ||
uid == old->suid || uid == old->fsuid ||
- capable(CAP_SETUID)) {
+ nsown_capable(CAP_SETUID)) {
if (uid != old_fsuid) {
new->fsuid = uid;
if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0)
@@ -869,7 +881,7 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
if (gid == old->gid || gid == old->egid ||
gid == old->sgid || gid == old->fsgid ||
- capable(CAP_SETGID)) {
+ nsown_capable(CAP_SETGID)) {
if (gid != old_fsgid) {
new->fsgid = gid;
goto change_okay;
@@ -1177,8 +1189,11 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
int errno;
char tmp[__NEW_UTS_LEN];
- if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
+ if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN)) {
+ printk(KERN_NOTICE "%s: did not have CAP_SYS_ADMIN\n", __func__);
return -EPERM;
+ }
+ printk(KERN_NOTICE "%s: did have CAP_SYS_ADMIN\n", __func__);
if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;
down_write(&uts_sem);
@@ -1226,7 +1241,7 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len)
int errno;
char tmp[__NEW_UTS_LEN];
- if (!capable(CAP_SYS_ADMIN))
+ if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
return -EPERM;
if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;
@@ -1341,6 +1356,8 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
rlim = tsk->signal->rlim + resource;
task_lock(tsk->group_leader);
if (new_rlim) {
+ /* Keep the capable check against init_user_ns until
+ cgroups can contain all limits */
if (new_rlim->rlim_max > rlim->rlim_max &&
!capable(CAP_SYS_RESOURCE))
retval = -EPERM;
@@ -1384,19 +1401,22 @@ static int check_prlimit_permission(struct task_struct *task)
{
const struct cred *cred = current_cred(), *tcred;
- tcred = __task_cred(task);
- if (current != task &&
- (cred->uid != tcred->euid ||
- cred->uid != tcred->suid ||
- cred->uid != tcred->uid ||
- cred->gid != tcred->egid ||
- cred->gid != tcred->sgid ||
- cred->gid != tcred->gid) &&
- !capable(CAP_SYS_RESOURCE)) {
- return -EPERM;
- }
+ if (current == task)
+ return 0;
- return 0;
+ tcred = __task_cred(task);
+ if (cred->user->user_ns == tcred->user->user_ns &&
+ (cred->uid == tcred->euid &&
+ cred->uid == tcred->suid &&
+ cred->uid == tcred->uid &&
+ cred->gid == tcred->egid &&
+ cred->gid == tcred->sgid &&
+ cred->gid == tcred->gid))
+ return 0;
+ if (ns_capable(tcred->user->user_ns, CAP_SYS_RESOURCE))
+ return 0;
+
+ return -EPERM;
}
SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource,
--
1.7.0.4
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containe rs
|
|
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
userns: targeted capabilities v5
By: serge on Thu, 17 February 2011 15:02
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH 2/9] security: Make capabilities relative to the user namespace.
By: serge on Thu, 17 February 2011 15:03
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: ebiederm on Fri, 18 February 2011 03:46
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: akpm on Fri, 18 February 2011 23:59
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: serge on Wed, 23 February 2011 13:43
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: serge on Thu, 17 February 2011 15:04
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: ebiederm on Fri, 18 February 2011 01:29
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: akpm on Fri, 18 February 2011 23:59
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: serge on Thu, 24 February 2011 03:24
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: akpm on Thu, 24 February 2011 05:08
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH 7/9] add a user namespace owner of ipc ns
By: serge on Thu, 17 February 2011 15:03
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
By: ebiederm on Fri, 18 February 2011 03:19
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
By: akpm on Fri, 18 February 2011 23:59
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: serge on Thu, 17 February 2011 15:02
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Fri, 18 February 2011 03:31
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: akpm on Fri, 18 February 2011 23:59
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Wed, 23 February 2011 21:21
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Wed, 23 February 2011 23:54
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH 3/9] allow sethostname in a container
By: serge on Thu, 17 February 2011 15:03
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 3/9] allow sethostname in a container
By: ebiederm on Fri, 18 February 2011 03:05
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 3/9] allow sethostname in a container
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH 4/9] allow killing tasks in your own or child userns
By: serge on Thu, 17 February 2011 15:03
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: ebiederm on Fri, 18 February 2011 03:00
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: akpm on Fri, 18 February 2011 23:59
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: serge on Thu, 24 February 2011 00:48
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: akpm on Thu, 24 February 2011 00:54
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: serge on Thu, 17 February 2011 15:03
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: ebiederm on Fri, 18 February 2011 01:57
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: akpm on Fri, 18 February 2011 23:59
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: akpm on Sat, 19 February 2011 00:01
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Thu, 17 February 2011 15:03
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: ebiederm on Fri, 18 February 2011 02:59
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Fri, 18 February 2011 04:36
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH] userns: ptrace: incorporate feedback from Eric
By: serge on Thu, 24 February 2011 00:49
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH] userns: ptrace: incorporate feedback from Eric
By: akpm on Thu, 24 February 2011 00:56
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH] userns: ptrace: incorporate feedback from Eric
By: serge on Thu, 24 February 2011 03:15
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: akpm on Fri, 18 February 2011 23:59
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Thu, 24 February 2011 00:43
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
[PATCH 8/9] user namespaces: convert several capable() calls
By: serge on Thu, 17 February 2011 15:03
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 8/9] user namespaces: convert several capable() calls
By: ebiederm on Fri, 18 February 2011 01:51
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: [PATCH 8/9] user namespaces: convert several capable() calls
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: userns: targeted capabilities v5
By: akpm on Fri, 18 February 2011 00:21
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: userns: targeted capabilities v5
By: ebiederm on Fri, 18 February 2011 03:53
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: userns: targeted capabilities v5
By: serge on Fri, 18 February 2011 04:28
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
User namespaces and keys
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: User namespaces and keys
By: serge on Wed, 23 February 2011 13:58
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 14:46
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: User namespaces and keys
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 15:45
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: User namespaces and keys
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: User namespaces and keys
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 20:55
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: User namespaces and keys
|
![Read Message Read Message](/theme/ovz3/images/read.png) |
|
Re: User namespaces and keys
By: ebiederm on Thu, 24 February 2011 06:56
|
Goto Forum:
Current Time: Wed Jul 17 04:35:41 GMT 2024
Total time taken to generate the page: 0.02919 seconds
|