diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2011-11-17 02:37:59 -0500 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-05-15 17:59:23 -0400 |
| commit | 9e4a36ece652908276bc4abb4324ec56292453e1 (patch) | |
| tree | ec267b9350f9e06aa510e35fbd6858ba3b9d602c /fs/exec.c | |
| parent | a7c1938e22c02b008655524c766d185ae99d9d53 (diff) | |
userns: Fail exec for suid and sgid binaries with ids outside our user namespace.
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'fs/exec.c')
| -rw-r--r-- | fs/exec.c | 5 |
1 files changed, 5 insertions, 0 deletions
| @@ -1291,8 +1291,11 @@ int prepare_binprm(struct linux_binprm *bprm) | |||
| 1291 | if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { | 1291 | if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { |
| 1292 | /* Set-uid? */ | 1292 | /* Set-uid? */ |
| 1293 | if (mode & S_ISUID) { | 1293 | if (mode & S_ISUID) { |
| 1294 | if (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid)) | ||
| 1295 | return -EPERM; | ||
| 1294 | bprm->per_clear |= PER_CLEAR_ON_SETID; | 1296 | bprm->per_clear |= PER_CLEAR_ON_SETID; |
| 1295 | bprm->cred->euid = inode->i_uid; | 1297 | bprm->cred->euid = inode->i_uid; |
| 1298 | |||
| 1296 | } | 1299 | } |
| 1297 | 1300 | ||
| 1298 | /* Set-gid? */ | 1301 | /* Set-gid? */ |
| @@ -1302,6 +1305,8 @@ int prepare_binprm(struct linux_binprm *bprm) | |||
| 1302 | * executable. | 1305 | * executable. |
| 1303 | */ | 1306 | */ |
| 1304 | if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { | 1307 | if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { |
| 1308 | if (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) | ||
| 1309 | return -EPERM; | ||
| 1305 | bprm->per_clear |= PER_CLEAR_ON_SETID; | 1310 | bprm->per_clear |= PER_CLEAR_ON_SETID; |
| 1306 | bprm->cred->egid = inode->i_gid; | 1311 | bprm->cred->egid = inode->i_gid; |
| 1307 | } | 1312 | } |