userns: Add a knob to disable setgroups on a per user namespace basis

- Expose the knob to user space through a proc file /proc/<pid>/setgroups A value of "deny" means the setgroups system call is disabled in the current processes user namespace and can not be enabled in the future in this user namespace. A value of "allow" means the segtoups system call is enabled. - Descendant user namespaces inherit the value of setgroups from their parents. - A proc file is used (instead of a sysctl) as sysctls currently do not allow checking the permissions at open time. - Writing to the proc file is restricted to before the gid_map for the user namespace is set. This ensures that disabling setgroups at a user namespace level will never remove the ability to call setgroups from a process that already has that ability. A process may opt in to the setgroups disable for itself by creating, entering and configuring a user namespace or by calling setns on an existing user namespace with setgroups disabled. Processes without privileges already can not call setgroups so this is a noop. Prodcess with privilege become processes without privilege when entering a user namespace and as with any other path to dropping privilege they would not have the ability to call setgroups. So this remains within the bounds of what is possible without a knob to disable setgroups permanently in a user namespace. Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2014-12-02 13:27:26 -0500
committer: Eric W. Biederman <ebiederm@xmission.com> 2014-12-11 19:06:36 -0500
commit: 9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 (patch)
tree: d996dd9c6d422e723af0da786add936bd7ec1c91 /fs/proc
parent: f0d62aec931e4ae3333c797d346dc4f188f454ba (diff)
1 files changed, 53 insertions, 0 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 772efa45a452..7dc3ea89ef1a 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2464,6 +2464,57 @@ static const struct file_operations proc_projid_map_operations = {
        .llseek         = seq_lseek,
        .release        = proc_id_map_release,
 };
+static int proc_setgroups_open(struct inode *inode, struct file *file)
+{
+        struct user_namespace *ns = NULL;
+        struct task_struct *task;
+        int ret;
+        ret = -ESRCH;
+        task = get_proc_task(inode);
+        if (task) {
+                rcu_read_lock();
+                ns = get_user_ns(task_cred_xxx(task, user_ns));
+                rcu_read_unlock();
+                put_task_struct(task);
+        }
+        if (!ns)
+                goto err;
+        if (file->f_mode & FMODE_WRITE) {
+                ret = -EACCES;
+                if (!ns_capable(ns, CAP_SYS_ADMIN))
+                        goto err_put_ns;
+        }
+        ret = single_open(file, &proc_setgroups_show, ns);
+        if (ret)
+                goto err_put_ns;
+        return 0;
+err_put_ns:
+        put_user_ns(ns);
+err:
+        return ret;
+}
+static int proc_setgroups_release(struct inode *inode, struct file *file)
+{
+        struct seq_file *seq = file->private_data;
+        struct user_namespace *ns = seq->private;
+        int ret = single_release(inode, file);
+        put_user_ns(ns);
+        return ret;
+}
+static const struct file_operations proc_setgroups_operations = {
+        .open           = proc_setgroups_open,
+        .write          = proc_setgroups_write,
+        .read           = seq_read,
+        .llseek         = seq_lseek,
+        .release        = proc_setgroups_release,
+};
 #endif /* CONFIG_USER_NS */
 static int proc_pid_personality(struct seq_file *m, struct pid_namespace *ns,
@@ -2572,6 +2623,7 @@ static const struct pid_entry tgid_base_stuff[] = {
        REG("uid_map",    S_IRUGO|S_IWUSR, proc_uid_map_operations),
        REG("gid_map",    S_IRUGO|S_IWUSR, proc_gid_map_operations),
        REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations),
+        REG("setgroups",  S_IRUGO|S_IWUSR, proc_setgroups_operations),
 #endif
 #ifdef CONFIG_CHECKPOINT_RESTORE
        REG("timers",     S_IRUGO, proc_timers_operations),
@@ -2913,6 +2965,7 @@ static const struct pid_entry tid_base_stuff[] = {
        REG("uid_map",    S_IRUGO|S_IWUSR, proc_uid_map_operations),
        REG("gid_map",    S_IRUGO|S_IWUSR, proc_gid_map_operations),
        REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations),
+        REG("setgroups",  S_IRUGO|S_IWUSR, proc_setgroups_operations),
 #endif
 };
author	Eric W. Biederman <ebiederm@xmission.com>	2014-12-02 13:27:26 -0500
committer	Eric W. Biederman <ebiederm@xmission.com>	2014-12-11 19:06:36 -0500
commit	9cc46516ddf497ea16e8d7cb986ae03a0f6b92f8 (patch)
tree	d996dd9c6d422e723af0da786add936bd7ec1c91 /fs/proc
parent	f0d62aec931e4ae3333c797d346dc4f188f454ba (diff)

diff --git a/fs/proc/base.c b/fs/proc/base.c index 772efa45a452..7dc3ea89ef1a 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c
@@ -2464,6 +2464,57 @@ static const struct file_operations proc_projid_map_operations = {
2464	.llseek = seq_lseek,	2464	.llseek = seq_lseek,
2465	.release = proc_id_map_release,	2465	.release = proc_id_map_release,
2466	};	2466	};
		2467
		2468	static int proc_setgroups_open(struct inode inode, struct file file)
		2469	{
		2470	struct user_namespace *ns = NULL;
		2471	struct task_struct *task;
		2472	int ret;
		2473
		2474	ret = -ESRCH;
		2475	task = get_proc_task(inode);
		2476	if (task) {
		2477	rcu_read_lock();
		2478	ns = get_user_ns(task_cred_xxx(task, user_ns));
		2479	rcu_read_unlock();
		2480	put_task_struct(task);
		2481	}
		2482	if (!ns)
		2483	goto err;
		2484
		2485	if (file->f_mode & FMODE_WRITE) {
		2486	ret = -EACCES;
		2487	if (!ns_capable(ns, CAP_SYS_ADMIN))
		2488	goto err_put_ns;
		2489	}
		2490
		2491	ret = single_open(file, &proc_setgroups_show, ns);
		2492	if (ret)
		2493	goto err_put_ns;
		2494
		2495	return 0;
		2496	err_put_ns:
		2497	put_user_ns(ns);
		2498	err:
		2499	return ret;
		2500	}
		2501
		2502	static int proc_setgroups_release(struct inode inode, struct file file)
		2503	{
		2504	struct seq_file *seq = file->private_data;
		2505	struct user_namespace *ns = seq->private;
		2506	int ret = single_release(inode, file);
		2507	put_user_ns(ns);
		2508	return ret;
		2509	}
		2510
		2511	static const struct file_operations proc_setgroups_operations = {
		2512	.open = proc_setgroups_open,
		2513	.write = proc_setgroups_write,
		2514	.read = seq_read,
		2515	.llseek = seq_lseek,
		2516	.release = proc_setgroups_release,
		2517	};
2467	#endif /* CONFIG_USER_NS */	2518	#endif /* CONFIG_USER_NS */
2468		2519
2469	static int proc_pid_personality(struct seq_file m, struct pid_namespace ns,	2520	static int proc_pid_personality(struct seq_file m, struct pid_namespace ns,
@@ -2572,6 +2623,7 @@ static const struct pid_entry tgid_base_stuff[] = {
2572	REG("uid_map", S_IRUGO\|S_IWUSR, proc_uid_map_operations),	2623	REG("uid_map", S_IRUGO\|S_IWUSR, proc_uid_map_operations),
2573	REG("gid_map", S_IRUGO\|S_IWUSR, proc_gid_map_operations),	2624	REG("gid_map", S_IRUGO\|S_IWUSR, proc_gid_map_operations),
2574	REG("projid_map", S_IRUGO\|S_IWUSR, proc_projid_map_operations),	2625	REG("projid_map", S_IRUGO\|S_IWUSR, proc_projid_map_operations),
		2626	REG("setgroups", S_IRUGO\|S_IWUSR, proc_setgroups_operations),
2575	#endif	2627	#endif
2576	#ifdef CONFIG_CHECKPOINT_RESTORE	2628	#ifdef CONFIG_CHECKPOINT_RESTORE
2577	REG("timers", S_IRUGO, proc_timers_operations),	2629	REG("timers", S_IRUGO, proc_timers_operations),
@@ -2913,6 +2965,7 @@ static const struct pid_entry tid_base_stuff[] = {
2913	REG("uid_map", S_IRUGO\|S_IWUSR, proc_uid_map_operations),	2965	REG("uid_map", S_IRUGO\|S_IWUSR, proc_uid_map_operations),
2914	REG("gid_map", S_IRUGO\|S_IWUSR, proc_gid_map_operations),	2966	REG("gid_map", S_IRUGO\|S_IWUSR, proc_gid_map_operations),
2915	REG("projid_map", S_IRUGO\|S_IWUSR, proc_projid_map_operations),	2967	REG("projid_map", S_IRUGO\|S_IWUSR, proc_projid_map_operations),
		2968	REG("setgroups", S_IRUGO\|S_IWUSR, proc_setgroups_operations),
2916	#endif	2969	#endif
2917	};	2970	};
2918		2971