diff options
| author | Andy Lutomirski <luto@amacapital.net> | 2014-06-10 15:45:42 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-10 16:57:22 -0400 |
| commit | 23adbe12ef7d3d4195e80800ab36b37bee28cd03 (patch) | |
| tree | 000f8f8b3172aa6629b7c9a4148a96549a07acb6 /kernel/capability.c | |
| parent | 5b174fd6472b1d6b6402b30210a212f3fd770d96 (diff) | |
fs,userns: Change inode_capable to capable_wrt_inode_uidgid
The kernel has no concept of capabilities with respect to inodes; inodes
exist independently of namespaces. For example, inode_capable(inode,
CAP_LINUX_IMMUTABLE) would be nonsense.
This patch changes inode_capable to check for uid and gid mappings and
renames it to capable_wrt_inode_uidgid, which should make it more
obvious what it does.
Fixes CVE-2014-4014.
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel/capability.c')
| -rw-r--r-- | kernel/capability.c | 20 |
1 files changed, 8 insertions, 12 deletions
diff --git a/kernel/capability.c b/kernel/capability.c index 84b2bbf443e7..a5cf13c018ce 100644 --- a/kernel/capability.c +++ b/kernel/capability.c | |||
| @@ -424,23 +424,19 @@ bool capable(int cap) | |||
| 424 | EXPORT_SYMBOL(capable); | 424 | EXPORT_SYMBOL(capable); |
| 425 | 425 | ||
| 426 | /** | 426 | /** |
| 427 | * inode_capable - Check superior capability over inode | 427 | * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped |
| 428 | * @inode: The inode in question | 428 | * @inode: The inode in question |
| 429 | * @cap: The capability in question | 429 | * @cap: The capability in question |
| 430 | * | 430 | * |
| 431 | * Return true if the current task has the given superior capability | 431 | * Return true if the current task has the given capability targeted at |
| 432 | * targeted at it's own user namespace and that the given inode is owned | 432 | * its own user namespace and that the given inode's uid and gid are |
| 433 | * by the current user namespace or a child namespace. | 433 | * mapped into the current user namespace. |
| 434 | * | ||
| 435 | * Currently we check to see if an inode is owned by the current | ||
| 436 | * user namespace by seeing if the inode's owner maps into the | ||
| 437 | * current user namespace. | ||
| 438 | * | ||
| 439 | */ | 434 | */ |
| 440 | bool inode_capable(const struct inode *inode, int cap) | 435 | bool capable_wrt_inode_uidgid(const struct inode *inode, int cap) |
| 441 | { | 436 | { |
| 442 | struct user_namespace *ns = current_user_ns(); | 437 | struct user_namespace *ns = current_user_ns(); |
| 443 | 438 | ||
| 444 | return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid); | 439 | return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && |
| 440 | kgid_has_mapping(ns, inode->i_gid); | ||
| 445 | } | 441 | } |
| 446 | EXPORT_SYMBOL(inode_capable); | 442 | EXPORT_SYMBOL(capable_wrt_inode_uidgid); |