aboutsummaryrefslogtreecommitdiffstats
path: root/fs/exec.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-05-23 20:42:39 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-05-23 20:42:39 -0400
commit644473e9c60c1ff4f6351fed637a6e5551e3dce7 (patch)
tree10316518bedc735a2c6552886658d69dfd9f1eb0 /fs/exec.c
parentfb827ec68446c83e9e8754fa9b55aed27ecc4661 (diff)
parent4b06a81f1daee668fbd6de85557bfb36dd36078f (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull user namespace enhancements from Eric Biederman: "This is a course correction for the user namespace, so that we can reach an inexpensive, maintainable, and reasonably complete implementation. Highlights: - Config guards make it impossible to enable the user namespace and code that has not been converted to be user namespace safe. - Use of the new kuid_t type ensures the if you somehow get past the config guards the kernel will encounter type errors if you enable user namespaces and attempt to compile in code whose permission checks have not been updated to be user namespace safe. - All uids from child user namespaces are mapped into the initial user namespace before they are processed. Removing the need to add an additional check to see if the user namespace of the compared uids remains the same. - With the user namespaces compiled out the performance is as good or better than it is today. - For most operations absolutely nothing changes performance or operationally with the user namespace enabled. - The worst case performance I could come up with was timing 1 billion cache cold stat operations with the user namespace code enabled. This went from 156s to 164s on my laptop (or 156ns to 164ns per stat operation). - (uid_t)-1 and (gid_t)-1 are reserved as an internal error value. Most uid/gid setting system calls treat these value specially anyway so attempting to use -1 as a uid would likely cause entertaining failures in userspace. - If setuid is called with a uid that can not be mapped setuid fails. I have looked at sendmail, login, ssh and every other program I could think of that would call setuid and they all check for and handle the case where setuid fails. - If stat or a similar system call is called from a context in which we can not map a uid we lie and return overflowuid. The LFS experience suggests not lying and returning an error code might be better, but the historical precedent with uids is different and I can not think of anything that would break by lying about a uid we can't map. - Capabilities are localized to the current user namespace making it safe to give the initial user in a user namespace all capabilities. My git tree covers all of the modifications needed to convert the core kernel and enough changes to make a system bootable to runlevel 1." Fix up trivial conflicts due to nearby independent changes in fs/stat.c * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (46 commits) userns: Silence silly gcc warning. cred: use correct cred accessor with regards to rcu read lock userns: Convert the move_pages, and migrate_pages permission checks to use uid_eq userns: Convert cgroup permission checks to use uid_eq userns: Convert tmpfs to use kuid and kgid where appropriate userns: Convert sysfs to use kgid/kuid where appropriate userns: Convert sysctl permission checks to use kuid and kgids. userns: Convert proc to use kuid/kgid where appropriate userns: Convert ext4 to user kuid/kgid where appropriate userns: Convert ext3 to use kuid/kgid where appropriate userns: Convert ext2 to use kuid/kgid where appropriate. userns: Convert devpts to use kuid/kgid where appropriate userns: Convert binary formats to use kuid/kgid where appropriate userns: Add negative depends on entries to avoid building code that is userns unsafe userns: signal remove unnecessary map_cred_ns userns: Teach inode_capable to understand inodes whose uids map to other namespaces. userns: Fail exec for suid and sgid binaries with ids outside our user namespace. userns: Convert stat to return values mapped from kuids and kgids userns: Convert user specfied uids and gids in chown into kuids and kgid userns: Use uid_eq gid_eq helpers when comparing kuids and kgids in the vfs ...
Diffstat (limited to 'fs/exec.c')
-rw-r--r--fs/exec.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 1e8efdc80412..52c9e2ff6e6b 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1139,7 +1139,7 @@ void setup_new_exec(struct linux_binprm * bprm)
1139 /* This is the point of no return */ 1139 /* This is the point of no return */
1140 current->sas_ss_sp = current->sas_ss_size = 0; 1140 current->sas_ss_sp = current->sas_ss_size = 0;
1141 1141
1142 if (current_euid() == current_uid() && current_egid() == current_gid()) 1142 if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid()))
1143 set_dumpable(current->mm, 1); 1143 set_dumpable(current->mm, 1);
1144 else 1144 else
1145 set_dumpable(current->mm, suid_dumpable); 1145 set_dumpable(current->mm, suid_dumpable);
@@ -1153,8 +1153,8 @@ void setup_new_exec(struct linux_binprm * bprm)
1153 current->mm->task_size = TASK_SIZE; 1153 current->mm->task_size = TASK_SIZE;
1154 1154
1155 /* install the new credentials */ 1155 /* install the new credentials */
1156 if (bprm->cred->uid != current_euid() || 1156 if (!uid_eq(bprm->cred->uid, current_euid()) ||
1157 bprm->cred->gid != current_egid()) { 1157 !gid_eq(bprm->cred->gid, current_egid())) {
1158 current->pdeath_signal = 0; 1158 current->pdeath_signal = 0;
1159 } else { 1159 } else {
1160 would_dump(bprm, bprm->file); 1160 would_dump(bprm, bprm->file);
@@ -1299,8 +1299,11 @@ int prepare_binprm(struct linux_binprm *bprm)
1299 !current->no_new_privs) { 1299 !current->no_new_privs) {
1300 /* Set-uid? */ 1300 /* Set-uid? */
1301 if (mode & S_ISUID) { 1301 if (mode & S_ISUID) {
1302 if (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid))
1303 return -EPERM;
1302 bprm->per_clear |= PER_CLEAR_ON_SETID; 1304 bprm->per_clear |= PER_CLEAR_ON_SETID;
1303 bprm->cred->euid = inode->i_uid; 1305 bprm->cred->euid = inode->i_uid;
1306
1304 } 1307 }
1305 1308
1306 /* Set-gid? */ 1309 /* Set-gid? */
@@ -1310,6 +1313,8 @@ int prepare_binprm(struct linux_binprm *bprm)
1310 * executable. 1313 * executable.
1311 */ 1314 */
1312 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { 1315 if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
1316 if (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid))
1317 return -EPERM;
1313 bprm->per_clear |= PER_CLEAR_ON_SETID; 1318 bprm->per_clear |= PER_CLEAR_ON_SETID;
1314 bprm->cred->egid = inode->i_gid; 1319 bprm->cred->egid = inode->i_gid;
1315 } 1320 }
@@ -2142,7 +2147,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2142 if (__get_dumpable(cprm.mm_flags) == 2) { 2147 if (__get_dumpable(cprm.mm_flags) == 2) {
2143 /* Setuid core dump mode */ 2148 /* Setuid core dump mode */
2144 flag = O_EXCL; /* Stop rewrite attacks */ 2149 flag = O_EXCL; /* Stop rewrite attacks */
2145 cred->fsuid = 0; /* Dump root private */ 2150 cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */
2146 } 2151 }
2147 2152
2148 retval = coredump_wait(exit_code, &core_state); 2153 retval = coredump_wait(exit_code, &core_state);
@@ -2243,7 +2248,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
2243 * Dont allow local users get cute and trick others to coredump 2248 * Dont allow local users get cute and trick others to coredump
2244 * into their pre-created files. 2249 * into their pre-created files.
2245 */ 2250 */
2246 if (inode->i_uid != current_fsuid()) 2251 if (!uid_eq(inode->i_uid, current_fsuid()))
2247 goto close_fail; 2252 goto close_fail;
2248 if (!cprm.file->f_op || !cprm.file->f_op->write) 2253 if (!cprm.file->f_op || !cprm.file->f_op->write)
2249 goto close_fail; 2254 goto close_fail;