4 files changed, 125 insertions, 13 deletions
diff --git a/kernel/groups.c b/kernel/groups.c
index 451698f86cfa..664411f171b5 100644
--- a/kernel/groups.c
+++ b/kernel/groups.c
@@ -6,6 +6,7 @@
 #include <linux/slab.h>
 #include <linux/security.h>
 #include <linux/syscalls.h>
+#include <linux/user_namespace.h>
 #include <asm/uaccess.h>
 /* init to 2 - one for init_task, one to ensure it is never freed */
@@ -213,6 +214,14 @@ out:
        return i;
 }
+bool may_setgroups(void)
+{
+        struct user_namespace *user_ns = current_user_ns();
+        return ns_capable(user_ns, CAP_SETGID) &&
+                userns_may_setgroups(user_ns);
+}
 /*
 *      SMP: Our groups are copy-on-write. We can set them safely
 *      without another task interfering.
@@ -223,7 +232,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
        struct group_info *group_info;
        int retval;
-        if (!ns_capable(current_user_ns(), CAP_SETGID))
+        if (!may_setgroups())
                return -EPERM;
        if ((unsigned)gidsetsize > NGROUPS_MAX)
                return -EINVAL;
diff --git a/kernel/uid16.c b/kernel/uid16.c
index 602e5bbbceff..d58cc4d8f0d1 100644
--- a/kernel/uid16.c
+++ b/kernel/uid16.c
@@ -176,7 +176,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
        struct group_info *group_info;
        int retval;
-        if (!ns_capable(current_user_ns(), CAP_SETGID))
+        if (!may_setgroups())
                return -EPERM;
        if ((unsigned)gidsetsize > NGROUPS_MAX)
                return -EINVAL;
diff --git a/kernel/user.c b/kernel/user.c
index 69b800aebf13..b069ccbfb0b0 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -54,6 +54,7 @@ struct user_namespace init_user_ns = {
 #ifdef CONFIG_USER_NS
        .ns.ops = &userns_operations,
 #endif
+        .flags = USERNS_INIT_FLAGS,
 #ifdef CONFIG_PERSISTENT_KEYRINGS
        .persistent_keyring_register_sem =
        __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 1491ad00388f..4109f8320684 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -24,6 +24,7 @@
 #include <linux/fs_struct.h>
 static struct kmem_cache *user_ns_cachep __read_mostly;
+static DEFINE_MUTEX(userns_state_mutex);
 static bool new_idmap_permitted(const struct file *file,
                                struct user_namespace *ns, int cap_setid,
@@ -100,6 +101,11 @@ int create_user_ns(struct cred *new)
        ns->owner = owner;
        ns->group = group;
+        /* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
+        mutex_lock(&userns_state_mutex);
+        ns->flags = parent_ns->flags;
+        mutex_unlock(&userns_state_mutex);
        set_cred_user_ns(new, ns);
 #ifdef CONFIG_PERSISTENT_KEYRINGS
@@ -584,9 +590,6 @@ static bool mappings_overlap(struct uid_gid_map *new_map,
        return false;
 }
-static DEFINE_MUTEX(id_map_mutex);
 static ssize_t map_write(struct file *file, const char __user *buf,
                         size_t count, loff_t *ppos,
                         int cap_setid,
@@ -603,7 +606,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
        ssize_t ret = -EINVAL;
        /*
-         * The id_map_mutex serializes all writes to any given map.
+         * The userns_state_mutex serializes all writes to any given map.
         *
         * Any map is only ever written once.
         *
@@ -621,7 +624,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
         * order and smp_rmb() is guaranteed that we don't have crazy
         * architectures returning stale data.
         */
-        mutex_lock(&id_map_mutex);
+        mutex_lock(&userns_state_mutex);
        ret = -EPERM;
        /* Only allow one successful write to the map */
@@ -641,7 +644,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
        if (!page)
                goto out;
-        /* Only allow <= page size writes at the beginning of the file */
+        /* Only allow < page size writes at the beginning of the file */
        ret = -EINVAL;
        if ((*ppos != 0) || (count >= PAGE_SIZE))
                goto out;
@@ -751,7 +754,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
        *ppos = count;
        ret = count;
 out:
-        mutex_unlock(&id_map_mutex);
+        mutex_unlock(&userns_state_mutex);
        if (page)
                free_page(page);
        return ret;
@@ -813,16 +816,21 @@ static bool new_idmap_permitted(const struct file *file,
                                struct user_namespace *ns, int cap_setid,
                                struct uid_gid_map *new_map)
 {
-        /* Allow mapping to your own filesystem ids */
+        const struct cred *cred = file->f_cred;
-        if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
+        /* Don't allow mappings that would allow anything that wouldn't
+         * be allowed without the establishment of unprivileged mappings.
+         */
+        if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
+            uid_eq(ns->owner, cred->euid)) {
                u32 id = new_map->extent[0].lower_first;
                if (cap_setid == CAP_SETUID) {
                        kuid_t uid = make_kuid(ns->parent, id);
-                        if (uid_eq(uid, file->f_cred->fsuid))
+                        if (uid_eq(uid, cred->euid))
                                return true;
                } else if (cap_setid == CAP_SETGID) {
                        kgid_t gid = make_kgid(ns->parent, id);
-                        if (gid_eq(gid, file->f_cred->fsgid))
+                        if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
+                            gid_eq(gid, cred->egid))
                                return true;
                }
        }
@@ -842,6 +850,100 @@ static bool new_idmap_permitted(const struct file *file,
        return false;
 }
+int proc_setgroups_show(struct seq_file *seq, void *v)
+{
+        struct user_namespace *ns = seq->private;
+        unsigned long userns_flags = ACCESS_ONCE(ns->flags);
+        seq_printf(seq, "%s\n",
+                   (userns_flags & USERNS_SETGROUPS_ALLOWED) ?
+                   "allow" : "deny");
+        return 0;
+}
+ssize_t proc_setgroups_write(struct file *file, const char __user *buf,
+                             size_t count, loff_t *ppos)
+{
+        struct seq_file *seq = file->private_data;
+        struct user_namespace *ns = seq->private;
+        char kbuf[8], *pos;
+        bool setgroups_allowed;
+        ssize_t ret;
+        /* Only allow a very narrow range of strings to be written */
+        ret = -EINVAL;
+        if ((*ppos != 0) || (count >= sizeof(kbuf)))
+                goto out;
+        /* What was written? */
+        ret = -EFAULT;
+        if (copy_from_user(kbuf, buf, count))
+                goto out;
+        kbuf[count] = '\0';
+        pos = kbuf;
+        /* What is being requested? */
+        ret = -EINVAL;
+        if (strncmp(pos, "allow", 5) == 0) {
+                pos += 5;
+                setgroups_allowed = true;
+        }
+        else if (strncmp(pos, "deny", 4) == 0) {
+                pos += 4;
+                setgroups_allowed = false;
+        }
+        else
+                goto out;
+        /* Verify there is not trailing junk on the line */
+        pos = skip_spaces(pos);
+        if (*pos != '\0')
+                goto out;
+        ret = -EPERM;
+        mutex_lock(&userns_state_mutex);
+        if (setgroups_allowed) {
+                /* Enabling setgroups after setgroups has been disabled
+                 * is not allowed.
+                 */
+                if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
+                        goto out_unlock;
+        } else {
+                /* Permanently disabling setgroups after setgroups has
+                 * been enabled by writing the gid_map is not allowed.
+                 */
+                if (ns->gid_map.nr_extents != 0)
+                        goto out_unlock;
+                ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
+        }
+        mutex_unlock(&userns_state_mutex);
+        /* Report a successful write */
+        *ppos = count;
+        ret = count;
+out:
+        return ret;
+out_unlock:
+        mutex_unlock(&userns_state_mutex);
+        goto out;
+}
+bool userns_may_setgroups(const struct user_namespace *ns)
+{
+        bool allowed;
+        mutex_lock(&userns_state_mutex);
+        /* It is not safe to use setgroups until a gid mapping in
+         * the user namespace has been established.
+         */
+        allowed = ns->gid_map.nr_extents != 0;
+        /* Is setgroups allowed? */
+        allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
+        mutex_unlock(&userns_state_mutex);
+        return allowed;
+}
 static inline struct user_namespace *to_user_ns(struct ns_common *ns)
 {
        return container_of(ns, struct user_namespace, ns);

diff --git a/kernel/groups.c b/kernel/groups.c index 451698f86cfa..664411f171b5 100644 --- a/kernel/groups.c +++ b/kernel/groups.c
@@ -6,6 +6,7 @@
6	#include <linux/slab.h>	6	#include <linux/slab.h>
7	#include <linux/security.h>	7	#include <linux/security.h>
8	#include <linux/syscalls.h>	8	#include <linux/syscalls.h>
		9	#include <linux/user_namespace.h>
9	#include <asm/uaccess.h>	10	#include <asm/uaccess.h>
10		11
11	/* init to 2 - one for init_task, one to ensure it is never freed */	12	/* init to 2 - one for init_task, one to ensure it is never freed */
@@ -213,6 +214,14 @@ out:
213	return i;	214	return i;
214	}	215	}
215		216
		217	bool may_setgroups(void)
		218	{
		219	struct user_namespace *user_ns = current_user_ns();
		220
		221	return ns_capable(user_ns, CAP_SETGID) &&
		222	userns_may_setgroups(user_ns);
		223	}
		224
216	/*	225	/*
217	* SMP: Our groups are copy-on-write. We can set them safely	226	* SMP: Our groups are copy-on-write. We can set them safely
218	* without another task interfering.	227	* without another task interfering.
@@ -223,7 +232,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
223	struct group_info *group_info;	232	struct group_info *group_info;
224	int retval;	233	int retval;
225		234
226	if (!ns_capable(current_user_ns(), CAP_SETGID))	235	if (!may_setgroups())
227	return -EPERM;	236	return -EPERM;
228	if ((unsigned)gidsetsize > NGROUPS_MAX)	237	if ((unsigned)gidsetsize > NGROUPS_MAX)
229	return -EINVAL;	238	return -EINVAL;


diff --git a/kernel/uid16.c b/kernel/uid16.c index 602e5bbbceff..d58cc4d8f0d1 100644 --- a/kernel/uid16.c +++ b/kernel/uid16.c
@@ -176,7 +176,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
176	struct group_info *group_info;	176	struct group_info *group_info;
177	int retval;	177	int retval;
178		178
179	if (!ns_capable(current_user_ns(), CAP_SETGID))	179	if (!may_setgroups())
180	return -EPERM;	180	return -EPERM;
181	if ((unsigned)gidsetsize > NGROUPS_MAX)	181	if ((unsigned)gidsetsize > NGROUPS_MAX)
182	return -EINVAL;	182	return -EINVAL;


diff --git a/kernel/user.c b/kernel/user.c index 69b800aebf13..b069ccbfb0b0 100644 --- a/kernel/user.c +++ b/kernel/user.c
@@ -54,6 +54,7 @@ struct user_namespace init_user_ns = {
54	#ifdef CONFIG_USER_NS	54	#ifdef CONFIG_USER_NS
55	.ns.ops = &userns_operations,	55	.ns.ops = &userns_operations,
56	#endif	56	#endif
		57	.flags = USERNS_INIT_FLAGS,
57	#ifdef CONFIG_PERSISTENT_KEYRINGS	58	#ifdef CONFIG_PERSISTENT_KEYRINGS
58	.persistent_keyring_register_sem =	59	.persistent_keyring_register_sem =
59	__RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),	60	__RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),


diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 1491ad00388f..4109f8320684 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c
@@ -24,6 +24,7 @@
24	#include <linux/fs_struct.h>	24	#include <linux/fs_struct.h>
25		25
26	static struct kmem_cache *user_ns_cachep __read_mostly;	26	static struct kmem_cache *user_ns_cachep __read_mostly;
		27	static DEFINE_MUTEX(userns_state_mutex);
27		28
28	static bool new_idmap_permitted(const struct file *file,	29	static bool new_idmap_permitted(const struct file *file,
29	struct user_namespace *ns, int cap_setid,	30	struct user_namespace *ns, int cap_setid,
@@ -100,6 +101,11 @@ int create_user_ns(struct cred *new)
100	ns->owner = owner;	101	ns->owner = owner;
101	ns->group = group;	102	ns->group = group;
102		103
		104	/* Inherit USERNS_SETGROUPS_ALLOWED from our parent */
		105	mutex_lock(&userns_state_mutex);
		106	ns->flags = parent_ns->flags;
		107	mutex_unlock(&userns_state_mutex);
		108
103	set_cred_user_ns(new, ns);	109	set_cred_user_ns(new, ns);
104		110
105	#ifdef CONFIG_PERSISTENT_KEYRINGS	111	#ifdef CONFIG_PERSISTENT_KEYRINGS
@@ -584,9 +590,6 @@ static bool mappings_overlap(struct uid_gid_map *new_map,
584	return false;	590	return false;
585	}	591	}
586		592
587
588	static DEFINE_MUTEX(id_map_mutex);
589
590	static ssize_t map_write(struct file file, const char __user buf,	593	static ssize_t map_write(struct file file, const char __user buf,
591	size_t count, loff_t *ppos,	594	size_t count, loff_t *ppos,
592	int cap_setid,	595	int cap_setid,
@@ -603,7 +606,7 @@ static ssize_t map_write(struct file file, const char __user buf,
603	ssize_t ret = -EINVAL;	606	ssize_t ret = -EINVAL;
604		607
605	/*	608	/*
606	* The id_map_mutex serializes all writes to any given map.	609	* The userns_state_mutex serializes all writes to any given map.
607	*	610	*
608	* Any map is only ever written once.	611	* Any map is only ever written once.
609	*	612	*
@@ -621,7 +624,7 @@ static ssize_t map_write(struct file file, const char __user buf,
621	* order and smp_rmb() is guaranteed that we don't have crazy	624	* order and smp_rmb() is guaranteed that we don't have crazy
622	* architectures returning stale data.	625	* architectures returning stale data.
623	*/	626	*/
624	mutex_lock(&id_map_mutex);	627	mutex_lock(&userns_state_mutex);
625		628
626	ret = -EPERM;	629	ret = -EPERM;
627	/* Only allow one successful write to the map */	630	/* Only allow one successful write to the map */
@@ -641,7 +644,7 @@ static ssize_t map_write(struct file file, const char __user buf,
641	if (!page)	644	if (!page)
642	goto out;	645	goto out;
643		646
644	/* Only allow <= page size writes at the beginning of the file */	647	/* Only allow < page size writes at the beginning of the file */
645	ret = -EINVAL;	648	ret = -EINVAL;
646	if ((*ppos != 0) \|\| (count >= PAGE_SIZE))	649	if ((*ppos != 0) \|\| (count >= PAGE_SIZE))
647	goto out;	650	goto out;
@@ -751,7 +754,7 @@ static ssize_t map_write(struct file file, const char __user buf,
751	*ppos = count;	754	*ppos = count;
752	ret = count;	755	ret = count;
753	out:	756	out:
754	mutex_unlock(&id_map_mutex);	757	mutex_unlock(&userns_state_mutex);
755	if (page)	758	if (page)
756	free_page(page);	759	free_page(page);
757	return ret;	760	return ret;
@@ -813,16 +816,21 @@ static bool new_idmap_permitted(const struct file *file,
813	struct user_namespace *ns, int cap_setid,	816	struct user_namespace *ns, int cap_setid,
814	struct uid_gid_map *new_map)	817	struct uid_gid_map *new_map)
815	{	818	{
816	/* Allow mapping to your own filesystem ids */	819	const struct cred *cred = file->f_cred;
817	if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {	820	/* Don't allow mappings that would allow anything that wouldn't
		821	* be allowed without the establishment of unprivileged mappings.
		822	*/
		823	if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
		824	uid_eq(ns->owner, cred->euid)) {
818	u32 id = new_map->extent[0].lower_first;	825	u32 id = new_map->extent[0].lower_first;
819	if (cap_setid == CAP_SETUID) {	826	if (cap_setid == CAP_SETUID) {
820	kuid_t uid = make_kuid(ns->parent, id);	827	kuid_t uid = make_kuid(ns->parent, id);
821	if (uid_eq(uid, file->f_cred->fsuid))	828	if (uid_eq(uid, cred->euid))
822	return true;	829	return true;
823	} else if (cap_setid == CAP_SETGID) {	830	} else if (cap_setid == CAP_SETGID) {
824	kgid_t gid = make_kgid(ns->parent, id);	831	kgid_t gid = make_kgid(ns->parent, id);
825	if (gid_eq(gid, file->f_cred->fsgid))	832	if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
		833	gid_eq(gid, cred->egid))
826	return true;	834	return true;
827	}	835	}
828	}	836	}
@@ -842,6 +850,100 @@ static bool new_idmap_permitted(const struct file *file,
842	return false;	850	return false;
843	}	851	}
844		852
		853	int proc_setgroups_show(struct seq_file seq, void v)
		854	{
		855	struct user_namespace *ns = seq->private;
		856	unsigned long userns_flags = ACCESS_ONCE(ns->flags);
		857
		858	seq_printf(seq, "%s\n",
		859	(userns_flags & USERNS_SETGROUPS_ALLOWED) ?
		860	"allow" : "deny");
		861	return 0;
		862	}
		863
		864	ssize_t proc_setgroups_write(struct file file, const char __user buf,
		865	size_t count, loff_t *ppos)
		866	{
		867	struct seq_file *seq = file->private_data;
		868	struct user_namespace *ns = seq->private;
		869	char kbuf[8], *pos;
		870	bool setgroups_allowed;
		871	ssize_t ret;
		872
		873	/* Only allow a very narrow range of strings to be written */
		874	ret = -EINVAL;
		875	if ((*ppos != 0) \|\| (count >= sizeof(kbuf)))
		876	goto out;
		877
		878	/* What was written? */
		879	ret = -EFAULT;
		880	if (copy_from_user(kbuf, buf, count))
		881	goto out;
		882	kbuf[count] = '\0';
		883	pos = kbuf;
		884
		885	/* What is being requested? */
		886	ret = -EINVAL;
		887	if (strncmp(pos, "allow", 5) == 0) {
		888	pos += 5;
		889	setgroups_allowed = true;
		890	}
		891	else if (strncmp(pos, "deny", 4) == 0) {
		892	pos += 4;
		893	setgroups_allowed = false;
		894	}
		895	else
		896	goto out;
		897
		898	/* Verify there is not trailing junk on the line */
		899	pos = skip_spaces(pos);
		900	if (*pos != '\0')
		901	goto out;
		902
		903	ret = -EPERM;
		904	mutex_lock(&userns_state_mutex);
		905	if (setgroups_allowed) {
		906	/* Enabling setgroups after setgroups has been disabled
		907	* is not allowed.
		908	*/
		909	if (!(ns->flags & USERNS_SETGROUPS_ALLOWED))
		910	goto out_unlock;
		911	} else {
		912	/* Permanently disabling setgroups after setgroups has
		913	* been enabled by writing the gid_map is not allowed.
		914	*/
		915	if (ns->gid_map.nr_extents != 0)
		916	goto out_unlock;
		917	ns->flags &= ~USERNS_SETGROUPS_ALLOWED;
		918	}
		919	mutex_unlock(&userns_state_mutex);
		920
		921	/* Report a successful write */
		922	*ppos = count;
		923	ret = count;
		924	out:
		925	return ret;
		926	out_unlock:
		927	mutex_unlock(&userns_state_mutex);
		928	goto out;
		929	}
		930
		931	bool userns_may_setgroups(const struct user_namespace *ns)
		932	{
		933	bool allowed;
		934
		935	mutex_lock(&userns_state_mutex);
		936	/* It is not safe to use setgroups until a gid mapping in
		937	* the user namespace has been established.
		938	*/
		939	allowed = ns->gid_map.nr_extents != 0;
		940	/* Is setgroups allowed? */
		941	allowed = allowed && (ns->flags & USERNS_SETGROUPS_ALLOWED);
		942	mutex_unlock(&userns_state_mutex);
		943
		944	return allowed;
		945	}
		946
845	static inline struct user_namespace to_user_ns(struct ns_common ns)	947	static inline struct user_namespace to_user_ns(struct ns_common ns)
846	{	948	{
847	return container_of(ns, struct user_namespace, ns);	949	return container_of(ns, struct user_namespace, ns);