diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2012-07-26 08:05:21 -0400 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-20 07:17:44 -0500 |
| commit | 4c44aaafa8108f584831850ab48a975e971db2de (patch) | |
| tree | c86f225e8256d28271acf3ea8926e70358f3e5c1 /kernel/sched | |
| parent | bcf58e725ddc45d31addbc6627d4f0edccc824c1 (diff) | |
userns: Kill task_user_ns
The task_user_ns function hides the fact that it is getting the user
namespace from struct cred on the task. struct cred may go away as
soon as the rcu lock is released. This leads to a race where we
can dereference a stale user namespace pointer.
To make it obvious a struct cred is involved kill task_user_ns.
To kill the race modify the users of task_user_ns to only
reference the user namespace while the rcu lock is held.
Cc: Kees Cook <keescook@chromium.org>
Cc: James Morris <james.l.morris@oracle.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'kernel/sched')
| -rw-r--r-- | kernel/sched/core.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 2d8927fda712..2f5eb1838b3e 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c | |||
| @@ -4029,8 +4029,14 @@ long sched_setaffinity(pid_t pid, const struct cpumask *in_mask) | |||
| 4029 | goto out_free_cpus_allowed; | 4029 | goto out_free_cpus_allowed; |
| 4030 | } | 4030 | } |
| 4031 | retval = -EPERM; | 4031 | retval = -EPERM; |
| 4032 | if (!check_same_owner(p) && !ns_capable(task_user_ns(p), CAP_SYS_NICE)) | 4032 | if (!check_same_owner(p)) { |
| 4033 | goto out_unlock; | 4033 | rcu_read_lock(); |
| 4034 | if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { | ||
| 4035 | rcu_read_unlock(); | ||
| 4036 | goto out_unlock; | ||
| 4037 | } | ||
| 4038 | rcu_read_unlock(); | ||
| 4039 | } | ||
| 4034 | 4040 | ||
| 4035 | retval = security_task_setscheduler(p); | 4041 | retval = security_task_setscheduler(p); |
| 4036 | if (retval) | 4042 | if (retval) |