aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-12-13 21:06:40 -0500
committerEric W. Biederman <ebiederm@xmission.com>2012-12-14 16:50:32 -0500
commit520d9eabce18edfef76a60b7b839d54facafe1f9 (patch)
tree69aed7689a6467f88aad8ea43790d5cf2f30ec7c
parent98f842e675f96ffac96e6c50315790912b2812be (diff)
Fix cap_capable to only allow owners in the parent user namespace to have caps.
Andy Lutomirski pointed out that the current behavior of allowing the owner of a user namespace to have all caps when that owner is not in a parent user namespace is wrong. Add a test to ensure the owner of a user namespace is in the parent of the user namespace to fix this bug. Thankfully this bug did not apply to the initial user namespace, keeping the mischief that can be caused by this bug quite small. This is bug was introduced in v3.5 by commit 783291e6900 "Simplify the user_namespace by making userns->creator a kuid." But did not matter until the permisions required to create a user namespace were relaxed allowing a user namespace to be created inside of a user namespace. The bug made it possible for the owner of a user namespace to be present in a child user namespace. Since the owner of a user nameapce is granted all capabilities it became possible for users in a grandchild user namespace to have all privilges over their parent user namspace. Reorder the checks in cap_capable. This should make the common case faster and make it clear that nothing magic happens in the initial user namespace. The reordering is safe because cred->user_ns can only be in targ_ns or targ_ns->parent but not both. Add a comment a the top of the loop to make the logic of the code clear. Add a distinct variable ns that changes as we walk up the user namespace hierarchy to make it clear which variable is changing. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
-rw-r--r--security/commoncap.c25
1 files changed, 17 insertions, 8 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 6dbae4650abe..7ee08c756d6b 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -76,24 +76,33 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
76int cap_capable(const struct cred *cred, struct user_namespace *targ_ns, 76int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
77 int cap, int audit) 77 int cap, int audit)
78{ 78{
79 for (;;) { 79 struct user_namespace *ns = targ_ns;
80 /* The owner of the user namespace has all caps. */
81 if (targ_ns != &init_user_ns && uid_eq(targ_ns->owner, cred->euid))
82 return 0;
83 80
81 /* See if cred has the capability in the target user namespace
82 * by examining the target user namespace and all of the target
83 * user namespace's parents.
84 */
85 for (;;) {
84 /* Do we have the necessary capabilities? */ 86 /* Do we have the necessary capabilities? */
85 if (targ_ns == cred->user_ns) 87 if (ns == cred->user_ns)
86 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; 88 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
87 89
88 /* Have we tried all of the parent namespaces? */ 90 /* Have we tried all of the parent namespaces? */
89 if (targ_ns == &init_user_ns) 91 if (ns == &init_user_ns)
90 return -EPERM; 92 return -EPERM;
91 93
94 /*
95 * The owner of the user namespace in the parent of the
96 * user namespace has all caps.
97 */
98 if ((ns->parent == cred->user_ns) && uid_eq(ns->owner, cred->euid))
99 return 0;
100
92 /* 101 /*
93 *If you have a capability in a parent user ns, then you have 102 * If you have a capability in a parent user ns, then you have
94 * it over all children user namespaces as well. 103 * it over all children user namespaces as well.
95 */ 104 */
96 targ_ns = targ_ns->parent; 105 ns = ns->parent;
97 } 106 }
98 107
99 /* We never get here */ 108 /* We never get here */