diff options
| author | Serge E. Hallyn <serge@hallyn.com> | 2011-03-23 19:43:24 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-23 22:47:08 -0400 |
| commit | b0e77598f87107001a00b8a4ece9c95e4254ccc4 (patch) | |
| tree | 2738276570e4faa7c92a64521c192f04dca93801 /kernel | |
| parent | b515498f5bb5f38fc0e390b4ff7d00b6077de127 (diff) | |
userns: user namespaces: convert several capable() calls
CAP_IPC_OWNER and CAP_IPC_LOCK can be checked against current_user_ns(),
because the resource comes from current's own ipc namespace.
setuid/setgid are to uids in own namespace, so again checks can be against
current_user_ns().
Changelog:
Jan 11: Use task_ns_capable() in place of sched_capable().
Jan 11: Use nsown_capable() as suggested by Bastian Blank.
Jan 11: Clarify (hopefully) some logic in futex and sched.c
Feb 15: use ns_capable for ipc, not nsown_capable
Feb 23: let copy_ipcs handle setting ipc_ns->user_ns
Feb 23: pass ns down rather than taking it from current
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: David Howells <dhowells@redhat.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/futex.c | 11 | ||||
| -rw-r--r-- | kernel/futex_compat.c | 11 | ||||
| -rw-r--r-- | kernel/groups.c | 2 | ||||
| -rw-r--r-- | kernel/nsproxy.c | 7 | ||||
| -rw-r--r-- | kernel/sched.c | 9 | ||||
| -rw-r--r-- | kernel/uid16.c | 2 |
6 files changed, 29 insertions, 13 deletions
diff --git a/kernel/futex.c b/kernel/futex.c index bda415715382..6570c459f31c 100644 --- a/kernel/futex.c +++ b/kernel/futex.c | |||
| @@ -2418,10 +2418,19 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, | |||
| 2418 | goto err_unlock; | 2418 | goto err_unlock; |
| 2419 | ret = -EPERM; | 2419 | ret = -EPERM; |
| 2420 | pcred = __task_cred(p); | 2420 | pcred = __task_cred(p); |
| 2421 | /* If victim is in different user_ns, then uids are not | ||
| 2422 | comparable, so we must have CAP_SYS_PTRACE */ | ||
| 2423 | if (cred->user->user_ns != pcred->user->user_ns) { | ||
| 2424 | if (!ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE)) | ||
| 2425 | goto err_unlock; | ||
| 2426 | goto ok; | ||
| 2427 | } | ||
| 2428 | /* If victim is in same user_ns, then uids are comparable */ | ||
| 2421 | if (cred->euid != pcred->euid && | 2429 | if (cred->euid != pcred->euid && |
| 2422 | cred->euid != pcred->uid && | 2430 | cred->euid != pcred->uid && |
| 2423 | !capable(CAP_SYS_PTRACE)) | 2431 | !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE)) |
| 2424 | goto err_unlock; | 2432 | goto err_unlock; |
| 2433 | ok: | ||
| 2425 | head = p->robust_list; | 2434 | head = p->robust_list; |
| 2426 | rcu_read_unlock(); | 2435 | rcu_read_unlock(); |
| 2427 | } | 2436 | } |
diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c index a7934ac75e5b..5f9e689dc8f0 100644 --- a/kernel/futex_compat.c +++ b/kernel/futex_compat.c | |||
| @@ -153,10 +153,19 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr, | |||
| 153 | goto err_unlock; | 153 | goto err_unlock; |
| 154 | ret = -EPERM; | 154 | ret = -EPERM; |
| 155 | pcred = __task_cred(p); | 155 | pcred = __task_cred(p); |
| 156 | /* If victim is in different user_ns, then uids are not | ||
| 157 | comparable, so we must have CAP_SYS_PTRACE */ | ||
| 158 | if (cred->user->user_ns != pcred->user->user_ns) { | ||
| 159 | if (!ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE)) | ||
| 160 | goto err_unlock; | ||
| 161 | goto ok; | ||
| 162 | } | ||
| 163 | /* If victim is in same user_ns, then uids are comparable */ | ||
| 156 | if (cred->euid != pcred->euid && | 164 | if (cred->euid != pcred->euid && |
| 157 | cred->euid != pcred->uid && | 165 | cred->euid != pcred->uid && |
| 158 | !capable(CAP_SYS_PTRACE)) | 166 | !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE)) |
| 159 | goto err_unlock; | 167 | goto err_unlock; |
| 168 | ok: | ||
| 160 | head = p->compat_robust_list; | 169 | head = p->compat_robust_list; |
| 161 | rcu_read_unlock(); | 170 | rcu_read_unlock(); |
| 162 | } | 171 | } |
diff --git a/kernel/groups.c b/kernel/groups.c index 253dc0f35cf4..1cc476d52dd3 100644 --- a/kernel/groups.c +++ b/kernel/groups.c | |||
| @@ -233,7 +233,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist) | |||
| 233 | struct group_info *group_info; | 233 | struct group_info *group_info; |
| 234 | int retval; | 234 | int retval; |
| 235 | 235 | ||
| 236 | if (!capable(CAP_SETGID)) | 236 | if (!nsown_capable(CAP_SETGID)) |
| 237 | return -EPERM; | 237 | return -EPERM; |
| 238 | if ((unsigned)gidsetsize > NGROUPS_MAX) | 238 | if ((unsigned)gidsetsize > NGROUPS_MAX) |
| 239 | return -EINVAL; | 239 | return -EINVAL; |
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index ac8a56e90bf8..a05d191ffdd9 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c | |||
| @@ -75,16 +75,11 @@ static struct nsproxy *create_new_namespaces(unsigned long flags, | |||
| 75 | goto out_uts; | 75 | goto out_uts; |
| 76 | } | 76 | } |
| 77 | 77 | ||
| 78 | new_nsp->ipc_ns = copy_ipcs(flags, tsk->nsproxy->ipc_ns); | 78 | new_nsp->ipc_ns = copy_ipcs(flags, tsk); |
| 79 | if (IS_ERR(new_nsp->ipc_ns)) { | 79 | if (IS_ERR(new_nsp->ipc_ns)) { |
| 80 | err = PTR_ERR(new_nsp->ipc_ns); | 80 | err = PTR_ERR(new_nsp->ipc_ns); |
| 81 | goto out_ipc; | 81 | goto out_ipc; |
| 82 | } | 82 | } |
| 83 | if (new_nsp->ipc_ns != tsk->nsproxy->ipc_ns) { | ||
| 84 | put_user_ns(new_nsp->ipc_ns->user_ns); | ||
| 85 | new_nsp->ipc_ns->user_ns = task_cred_xxx(tsk, user)->user_ns; | ||
| 86 | get_user_ns(new_nsp->ipc_ns->user_ns); | ||
| 87 | } | ||
| 88 | 83 | ||
| 89 | new_nsp->pid_ns = copy_pid_ns(flags, task_active_pid_ns(tsk)); | 84 | new_nsp->pid_ns = copy_pid_ns(flags, task_active_pid_ns(tsk)); |
| 90 | if (IS_ERR(new_nsp->pid_ns)) { | 85 | if (IS_ERR(new_nsp->pid_ns)) { |
diff --git a/kernel/sched.c b/kernel/sched.c index a172494a9a63..480adeb63f8f 100644 --- a/kernel/sched.c +++ b/kernel/sched.c | |||
| @@ -4892,8 +4892,11 @@ static bool check_same_owner(struct task_struct *p) | |||
| 4892 | 4892 | ||
| 4893 | rcu_read_lock(); | 4893 | rcu_read_lock(); |
| 4894 | pcred = __task_cred(p); | 4894 | pcred = __task_cred(p); |
| 4895 | match = (cred->euid == pcred->euid || | 4895 | if (cred->user->user_ns == pcred->user->user_ns) |
| 4896 | cred->euid == pcred->uid); | 4896 | match = (cred->euid == pcred->euid || |
| 4897 | cred->euid == pcred->uid); | ||
| 4898 | else | ||
| 4899 | match = false; | ||
| 4897 | rcu_read_unlock(); | 4900 | rcu_read_unlock(); |
| 4898 | return match; | 4901 | return match; |
| 4899 | } | 4902 | } |
| @@ -5221,7 +5224,7 @@ long sched_setaffinity(pid_t pid, const struct cpumask *in_mask) | |||
| 5221 | goto out_free_cpus_allowed; | 5224 | goto out_free_cpus_allowed; |
| 5222 | } | 5225 | } |
| 5223 | retval = -EPERM; | 5226 | retval = -EPERM; |
| 5224 | if (!check_same_owner(p) && !capable(CAP_SYS_NICE)) | 5227 | if (!check_same_owner(p) && !task_ns_capable(p, CAP_SYS_NICE)) |
| 5225 | goto out_unlock; | 5228 | goto out_unlock; |
| 5226 | 5229 | ||
| 5227 | retval = security_task_setscheduler(p); | 5230 | retval = security_task_setscheduler(p); |
diff --git a/kernel/uid16.c b/kernel/uid16.c index 419209893d87..51c6e89e8619 100644 --- a/kernel/uid16.c +++ b/kernel/uid16.c | |||
| @@ -189,7 +189,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist) | |||
| 189 | struct group_info *group_info; | 189 | struct group_info *group_info; |
| 190 | int retval; | 190 | int retval; |
| 191 | 191 | ||
| 192 | if (!capable(CAP_SETGID)) | 192 | if (!nsown_capable(CAP_SETGID)) |
| 193 | return -EPERM; | 193 | return -EPERM; |
| 194 | if ((unsigned)gidsetsize > NGROUPS_MAX) | 194 | if ((unsigned)gidsetsize > NGROUPS_MAX) |
| 195 | return -EINVAL; | 195 | return -EINVAL; |