Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Pull user namespace updates from Eric Biederman: "This finishes up the changes to ensure proc and sysfs do not start implementing executable files, as the there are application today that are only secure because such files do not exist. It akso fixes a long standing misfeature of /proc/<pid>/mountinfo that did not show the proper source for files bind mounted from /proc/<pid>/ns/*. It also straightens out the handling of clone flags related to user namespaces, fixing an unnecessary failure of unshare(CLONE_NEWUSER) when files such as /proc/<pid>/environ are read while <pid> is calling unshare. This winds up fixing a minor bug in unshare flag handling that dates back to the first version of unshare in the kernel. Finally, this fixes a minor regression caused by the introduction of sysfs_create_mount_point, which broke someone's in house application, by restoring the size of /sys/fs/cgroup to 0 bytes. Apparently that application uses the directory size to determine if a tmpfs is mounted on /sys/fs/cgroup. The bind mount escape fixes are present in Al Viros for-next branch. and I expect them to come from there. The bind mount escape is the last of the user namespace related security bugs that I am aware of" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: fs: Set the size of empty dirs to 0. userns,pidns: Force thread group sharing, not signal handler sharing. unshare: Unsharing a thread does not require unsharing a vm nsfs: Add a show_path method to fix mountinfo mnt: fs_fully_visible enforce noexec and nosuid if !SB_I_NOEXEC vfs: Commit to never having exectuables on proc and sysfs.
author: Linus Torvalds <torvalds@linux-foundation.org> 2015-09-01 19:13:25 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2015-09-01 19:13:25 -0400
commit: 73b6fa8e49c2d13e04d20186261e5f7855c6d0bf (patch)
tree: 75c972b9f5284d84db83c6eae63611e96c827c57 /kernel/fork.c
parent: e713c80a4e49d4bed5324d24755e42bf01c87556 (diff)
parent: 4b75de8615050c1b0dd8d7794838c42f74ed36ba (diff)
1 files changed, 22 insertions, 14 deletions
diff --git a/kernel/fork.c b/kernel/fork.c
index 0d93b4d0617b..2b1a61cddc19 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1280,10 +1280,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
        /*
         * If the new process will be in a different pid or user namespace
-         * do not allow it to share a thread group or signal handlers or
+         * do not allow it to share a thread group with the forking task.
-         * parent with the forking task.
         */
-        if (clone_flags & CLONE_SIGHAND) {
+        if (clone_flags & CLONE_THREAD) {
                if ((clone_flags & (CLONE_NEWUSER | CLONE_NEWPID)) ||
                    (task_active_pid_ns(current) !=
                                current->nsproxy->pid_ns_for_children))
@@ -1872,13 +1871,21 @@ static int check_unshare_flags(unsigned long unshare_flags)
                                CLONE_NEWUSER|CLONE_NEWPID))
                return -EINVAL;
        /*
-         * Not implemented, but pretend it works if there is nothing to
+         * Not implemented, but pretend it works if there is nothing
-         * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND
+         * to unshare.  Note that unsharing the address space or the
-         * needs to unshare vm.
+         * signal handlers also need to unshare the signal queues (aka
+         * CLONE_THREAD).
         */
        if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) {
-                /* FIXME: get_task_mm() increments ->mm_users */
+                if (!thread_group_empty(current))
-                if (atomic_read(&current->mm->mm_users) > 1)
+                        return -EINVAL;
+        }
+        if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) {
+                if (atomic_read(&current->sighand->count) > 1)
+                        return -EINVAL;
+        }
+        if (unshare_flags & CLONE_VM) {
+                if (!current_is_single_threaded())
                        return -EINVAL;
        }
@@ -1942,21 +1949,22 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
        int err;
        /*
-         * If unsharing a user namespace must also unshare the thread.
+         * If unsharing a user namespace must also unshare the thread group
+         * and unshare the filesystem root and working directories.
         */
        if (unshare_flags & CLONE_NEWUSER)
                unshare_flags |= CLONE_THREAD | CLONE_FS;
        /*
-         * If unsharing a thread from a thread group, must also unshare vm.
-         */
-        if (unshare_flags & CLONE_THREAD)
-                unshare_flags |= CLONE_VM;
-        /*
         * If unsharing vm, must also unshare signal handlers.
         */
        if (unshare_flags & CLONE_VM)
                unshare_flags |= CLONE_SIGHAND;
        /*
+         * If unsharing a signal handlers, must also unshare the signal queues.
+         */
+        if (unshare_flags & CLONE_SIGHAND)
+                unshare_flags |= CLONE_THREAD;
+        /*
         * If unsharing namespace, must also unshare filesystem information.
         */
        if (unshare_flags & CLONE_NEWNS)
author	Linus Torvalds <torvalds@linux-foundation.org>	2015-09-01 19:13:25 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2015-09-01 19:13:25 -0400
commit	73b6fa8e49c2d13e04d20186261e5f7855c6d0bf (patch)
tree	75c972b9f5284d84db83c6eae63611e96c827c57 /kernel/fork.c
parent	e713c80a4e49d4bed5324d24755e42bf01c87556 (diff)
parent	4b75de8615050c1b0dd8d7794838c42f74ed36ba (diff)