lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Jan 2021 17:44:04 +0100 From: Christian Brauner <christian.brauner@...ntu.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Alexander Viro <viro@...iv.linux.org.uk>, Christoph Hellwig <hch@....de>, linux-fsdevel@...r.kernel.org, John Johansen <john.johansen@...onical.com>, James Morris <jmorris@...ei.org>, Mimi Zohar <zohar@...ux.ibm.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Stephen Smalley <stephen.smalley.work@...il.com>, Casey Schaufler <casey@...aufler-ca.com>, Arnd Bergmann <arnd@...db.de>, Andreas Dilger <adilger.kernel@...ger.ca>, OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>, Geoffrey Thomas <geofft@...reload.com>, Mrunal Patel <mpatel@...hat.com>, Josh Triplett <josh@...htriplett.org>, Andy Lutomirski <luto@...nel.org>, Theodore Tso <tytso@....edu>, Alban Crequy <alban@...volk.io>, Tycho Andersen <tycho@...ho.ws>, David Howells <dhowells@...hat.com>, James Bottomley <James.Bottomley@...senpartnership.com>, Seth Forshee <seth.forshee@...onical.com>, Stéphane Graber <stgraber@...ntu.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Aleksa Sarai <cyphar@...har.com>, Lennart Poettering <lennart@...ttering.net>, smbarber@...omium.org, Phil Estes <estesp@...il.com>, Serge Hallyn <serge@...lyn.com>, Kees Cook <keescook@...omium.org>, Todd Kjos <tkjos@...gle.com>, Paul Moore <paul@...l-moore.com>, Jonathan Corbet <corbet@....net>, containers@...ts.linux-foundation.org, linux-security-module@...r.kernel.org, linux-api@...r.kernel.org, linux-ext4@...r.kernel.org, linux-xfs@...r.kernel.org, linux-integrity@...r.kernel.org, selinux@...r.kernel.org Subject: Re: [PATCH v6 23/40] exec: handle idmapped mounts On Mon, Jan 25, 2021 at 10:39:01AM -0600, Eric W. Biederman wrote: > Christian Brauner <christian.brauner@...ntu.com> writes: > > > When executing a setuid binary the kernel will verify in bprm_fill_uid() > > that the inode has a mapping in the caller's user namespace before > > setting the callers uid and gid. Let bprm_fill_uid() handle idmapped > > mounts. If the inode is accessed through an idmapped mount it is mapped > > according to the mount's user namespace. Afterwards the checks are > > identical to non-idmapped mounts. If the initial user namespace is > > passed nothing changes so non-idmapped mounts will see identical > > behavior as before. > > This does not handle the v3 capabilites xattr with embeds a uid. > So at least at that level you are missing some critical conversions. Thanks for looking. Vfs v3 caps are handled earlier in the series. I'm not sure what you're referring to here. There are tests in xfstests that verify vfs3 capability behavior. Christian
Powered by blists - more mailing lists