lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120418184943.GD4984@mail.hallyn.com>
Date:	Wed, 18 Apr 2012 18:49:43 +0000
From:	"Serge E. Hallyn" <serge@...lyn.com>
To:	"Eric W. Beiderman" <ebiederm@...ssion.com>
Cc:	linux-kernel@...r.kernel.org,
	Linux Containers <containers@...ts.linux-foundation.org>,
	Cyrill Gorcunov <gorcunov@...nvz.org>,
	linux-security-module@...r.kernel.org,
	Al Viro <viro@...IV.linux.org.uk>,
	linux-fsdevel@...r.kernel.org,
	Andrew Morton <akpm@...ux-foundation.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH 19/43] userns: Store uid and gid values in struct cred
 with kuid_t and kgid_t types

Quoting Eric W. Beiderman (ebiederm@...ssion.com):
> From: Eric W. Biederman <ebiederm@...ssion.com>
> 
> cred.h and a few trivial users of struct cred are changed.  The rest of the users
> of struct cred are left for other patches as there are too many changes to make
> in one go and leave the change reviewable.  If the user namespace is disabled and
> CONFIG_UIDGID_STRICT_TYPE_CHECKS are disabled the code will contiue to compile
> and behave correctly.
> 
> Signed-off-by: Eric W. Biederman <ebiederm@...ssion.com>

Acked-by: Serge Hallyn <serge.hallyn@...onical.com>

> ---
>  arch/x86/mm/fault.c            |    2 +-
>  fs/ioprio.c                    |    8 ++------
>  include/linux/cred.h           |   16 ++++++++--------
>  include/linux/user_namespace.h |    8 ++++----
>  kernel/cred.c                  |   36 ++++++++++++++++++++++--------------
>  kernel/signal.c                |   14 ++++++++------
>  kernel/sys.c                   |   26 +++++++++-----------------
>  kernel/user_namespace.c        |    4 ++--
>  mm/oom_kill.c                  |    4 ++--
>  security/commoncap.c           |    3 +--
>  10 files changed, 59 insertions(+), 62 deletions(-)
> 
> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> index 3ecfd1a..76dcd9d 100644
> --- a/arch/x86/mm/fault.c
> +++ b/arch/x86/mm/fault.c
> @@ -582,7 +582,7 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code,
>  		pte_t *pte = lookup_address(address, &level);
>  
>  		if (pte && pte_present(*pte) && !pte_exec(*pte))
> -			printk(nx_warning, current_uid());
> +			printk(nx_warning, from_kuid(&init_user_ns, current_uid()));
>  	}
>  
>  	printk(KERN_ALERT "BUG: unable to handle kernel ");
> diff --git a/fs/ioprio.c b/fs/ioprio.c
> index 8e35e96..2072e41 100644
> --- a/fs/ioprio.c
> +++ b/fs/ioprio.c
> @@ -123,9 +123,7 @@ SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)
>  				break;
>  
>  			do_each_thread(g, p) {
> -				const struct cred *tcred = __task_cred(p);
> -				kuid_t tcred_uid = make_kuid(tcred->user_ns, tcred->uid);
> -				if (!uid_eq(tcred_uid, uid))
> +				if (!uid_eq(task_uid(p), uid))
>  					continue;
>  				ret = set_task_ioprio(p, ioprio);
>  				if (ret)
> @@ -220,9 +218,7 @@ SYSCALL_DEFINE2(ioprio_get, int, which, int, who)
>  				break;
>  
>  			do_each_thread(g, p) {
> -				const struct cred *tcred = __task_cred(p);
> -				kuid_t tcred_uid = make_kuid(tcred->user_ns, tcred->uid);
> -				if (!uid_eq(tcred_uid, user->uid))
> +				if (!uid_eq(task_uid(p), user->uid))
>  					continue;
>  				tmpio = get_task_ioprio(p);
>  				if (tmpio < 0)
> diff --git a/include/linux/cred.h b/include/linux/cred.h
> index 0ab3cda..fac0579 100644
> --- a/include/linux/cred.h
> +++ b/include/linux/cred.h
> @@ -123,14 +123,14 @@ struct cred {
>  #define CRED_MAGIC	0x43736564
>  #define CRED_MAGIC_DEAD	0x44656144
>  #endif
> -	uid_t		uid;		/* real UID of the task */
> -	gid_t		gid;		/* real GID of the task */
> -	uid_t		suid;		/* saved UID of the task */
> -	gid_t		sgid;		/* saved GID of the task */
> -	uid_t		euid;		/* effective UID of the task */
> -	gid_t		egid;		/* effective GID of the task */
> -	uid_t		fsuid;		/* UID for VFS ops */
> -	gid_t		fsgid;		/* GID for VFS ops */
> +	kuid_t		uid;		/* real UID of the task */
> +	kgid_t		gid;		/* real GID of the task */
> +	kuid_t		suid;		/* saved UID of the task */
> +	kgid_t		sgid;		/* saved GID of the task */
> +	kuid_t		euid;		/* effective UID of the task */
> +	kgid_t		egid;		/* effective GID of the task */
> +	kuid_t		fsuid;		/* UID for VFS ops */
> +	kgid_t		fsgid;		/* GID for VFS ops */
>  	unsigned	securebits;	/* SUID-less security management */
>  	kernel_cap_t	cap_inheritable; /* caps our children can inherit */
>  	kernel_cap_t	cap_permitted;	/* caps we're permitted */
> diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> index 4c9846d..a2c6145 100644
> --- a/include/linux/user_namespace.h
> +++ b/include/linux/user_namespace.h
> @@ -70,15 +70,15 @@ static inline void put_user_ns(struct user_namespace *ns)
>  #endif
>  
>  static inline uid_t user_ns_map_uid(struct user_namespace *to,
> -	const struct cred *cred, uid_t uid)
> +	const struct cred *cred, kuid_t uid)
>  {
> -	return from_kuid_munged(to, make_kuid(cred->user_ns, uid));
> +	return from_kuid_munged(to, uid);
>  }
>  
>  static inline gid_t user_ns_map_gid(struct user_namespace *to,
> -	const struct cred *cred, gid_t gid)
> +	const struct cred *cred, kgid_t gid)
>  {
> -	return from_kgid_munged(to, make_kgid(cred->user_ns, gid));
> +	return from_kgid_munged(to, gid);
>  }
>  
>  #endif /* _LINUX_USER_H */
> diff --git a/kernel/cred.c b/kernel/cred.c
> index 7a0d806..eddc5e2 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -49,6 +49,14 @@ struct cred init_cred = {
>  	.subscribers		= ATOMIC_INIT(2),
>  	.magic			= CRED_MAGIC,
>  #endif
> +	.uid			= GLOBAL_ROOT_UID,
> +	.gid			= GLOBAL_ROOT_GID,
> +	.suid			= GLOBAL_ROOT_UID,
> +	.sgid			= GLOBAL_ROOT_GID,
> +	.euid			= GLOBAL_ROOT_UID,
> +	.egid			= GLOBAL_ROOT_GID,
> +	.fsuid			= GLOBAL_ROOT_UID,
> +	.fsgid			= GLOBAL_ROOT_GID,
>  	.securebits		= SECUREBITS_DEFAULT,
>  	.cap_inheritable	= CAP_EMPTY_SET,
>  	.cap_permitted		= CAP_FULL_SET,
> @@ -488,10 +496,10 @@ int commit_creds(struct cred *new)
>  	get_cred(new); /* we will require a ref for the subj creds too */
>  
>  	/* dumpability changes */
> -	if (old->euid != new->euid ||
> -	    old->egid != new->egid ||
> -	    old->fsuid != new->fsuid ||
> -	    old->fsgid != new->fsgid ||
> +	if (!uid_eq(old->euid, new->euid) ||
> +	    !gid_eq(old->egid, new->egid) ||
> +	    !uid_eq(old->fsuid, new->fsuid) ||
> +	    !gid_eq(old->fsgid, new->fsgid) ||
>  	    !cap_issubset(new->cap_permitted, old->cap_permitted)) {
>  		if (task->mm)
>  			set_dumpable(task->mm, suid_dumpable);
> @@ -500,9 +508,9 @@ int commit_creds(struct cred *new)
>  	}
>  
>  	/* alter the thread keyring */
> -	if (new->fsuid != old->fsuid)
> +	if (!uid_eq(new->fsuid, old->fsuid))
>  		key_fsuid_changed(task);
> -	if (new->fsgid != old->fsgid)
> +	if (!gid_eq(new->fsgid, old->fsgid))
>  		key_fsgid_changed(task);
>  
>  	/* do it
> @@ -519,16 +527,16 @@ int commit_creds(struct cred *new)
>  	alter_cred_subscribers(old, -2);
>  
>  	/* send notifications */
> -	if (new->uid   != old->uid  ||
> -	    new->euid  != old->euid ||
> -	    new->suid  != old->suid ||
> -	    new->fsuid != old->fsuid)
> +	if (!uid_eq(new->uid,   old->uid)  ||
> +	    !uid_eq(new->euid,  old->euid) ||
> +	    !uid_eq(new->suid,  old->suid) ||
> +	    !uid_eq(new->fsuid, old->fsuid))
>  		proc_id_connector(task, PROC_EVENT_UID);
>  
> -	if (new->gid   != old->gid  ||
> -	    new->egid  != old->egid ||
> -	    new->sgid  != old->sgid ||
> -	    new->fsgid != old->fsgid)
> +	if (!gid_eq(new->gid,   old->gid)  ||
> +	    !gid_eq(new->egid,  old->egid) ||
> +	    !gid_eq(new->sgid,  old->sgid) ||
> +	    !gid_eq(new->fsgid, old->fsgid))
>  		proc_id_connector(task, PROC_EVENT_GID);
>  
>  	/* release the old obj and subj refs both */
> diff --git a/kernel/signal.c b/kernel/signal.c
> index e2c5d84..2734dc9 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -1038,8 +1038,10 @@ static inline void userns_fixup_signal_uid(struct siginfo *info, struct task_str
>  	if (SI_FROMKERNEL(info))
>  		return;
>  
> -	info->si_uid = user_ns_map_uid(task_cred_xxx(t, user_ns),
> -					current_cred(), info->si_uid);
> +	rcu_read_lock();
> +	info->si_uid = from_kuid_munged(task_cred_xxx(t, user_ns),
> +					make_kuid(current_user_ns(), info->si_uid));
> +	rcu_read_unlock();
>  }
>  #else
>  static inline void userns_fixup_signal_uid(struct siginfo *info, struct task_struct *t)
> @@ -1106,7 +1108,7 @@ static int __send_signal(int sig, struct siginfo *info, struct task_struct *t,
>  			q->info.si_code = SI_USER;
>  			q->info.si_pid = task_tgid_nr_ns(current,
>  							task_active_pid_ns(t));
> -			q->info.si_uid = current_uid();
> +			q->info.si_uid = from_kuid_munged(current_user_ns(), current_uid());
>  			break;
>  		case (unsigned long) SEND_SIG_PRIV:
>  			q->info.si_signo = sig;
> @@ -1973,7 +1975,7 @@ static void ptrace_do_notify(int signr, int exit_code, int why)
>  	info.si_signo = signr;
>  	info.si_code = exit_code;
>  	info.si_pid = task_pid_vnr(current);
> -	info.si_uid = current_uid();
> +	info.si_uid = from_kuid_munged(current_user_ns(), current_uid());
>  
>  	/* Let the debugger run.  */
>  	ptrace_stop(exit_code, why, 1, &info);
> @@ -2828,7 +2830,7 @@ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
>  	info.si_errno = 0;
>  	info.si_code = SI_USER;
>  	info.si_pid = task_tgid_vnr(current);
> -	info.si_uid = current_uid();
> +	info.si_uid = from_kuid_munged(current_user_ns(), current_uid());
>  
>  	return kill_something_info(sig, &info, pid);
>  }
> @@ -2871,7 +2873,7 @@ static int do_tkill(pid_t tgid, pid_t pid, int sig)
>  	info.si_errno = 0;
>  	info.si_code = SI_TKILL;
>  	info.si_pid = task_tgid_vnr(current);
> -	info.si_uid = current_uid();
> +	info.si_uid = from_kuid_munged(current_user_ns(), current_uid());
>  
>  	return do_send_specific(tgid, pid, sig, &info);
>  }
> diff --git a/kernel/sys.c b/kernel/sys.c
> index f0c43b4..3996281 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -175,7 +175,6 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval)
>  	const struct cred *cred = current_cred();
>  	int error = -EINVAL;
>  	struct pid *pgrp;
> -	kuid_t cred_uid;
>  	kuid_t uid;
>  
>  	if (which > PRIO_USER || which < PRIO_PROCESS)
> @@ -209,22 +208,19 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval)
>  			} while_each_pid_thread(pgrp, PIDTYPE_PGID, p);
>  			break;
>  		case PRIO_USER:
> -			cred_uid = make_kuid(cred->user_ns, cred->uid);
>  			uid = make_kuid(cred->user_ns, who);
>  			user = cred->user;
>  			if (!who)
> -				uid = cred_uid;
> -			else if (!uid_eq(uid, cred_uid) &&
> +				uid = cred->uid;
> +			else if (!uid_eq(uid, cred->uid) &&
>  				 !(user = find_user(uid)))
>  				goto out_unlock;	/* No processes for this user */
>  
>  			do_each_thread(g, p) {
> -				const struct cred *tcred = __task_cred(p);
> -				kuid_t tcred_uid = make_kuid(tcred->user_ns, tcred->uid);
> -				if (uid_eq(tcred_uid, uid))
> +				if (uid_eq(task_uid(p), uid))
>  					error = set_one_prio(p, niceval, error);
>  			} while_each_thread(g, p);
> -			if (!uid_eq(uid, cred_uid))
> +			if (!uid_eq(uid, cred->uid))
>  				free_uid(user);		/* For find_user() */
>  			break;
>  	}
> @@ -248,7 +244,6 @@ SYSCALL_DEFINE2(getpriority, int, which, int, who)
>  	const struct cred *cred = current_cred();
>  	long niceval, retval = -ESRCH;
>  	struct pid *pgrp;
> -	kuid_t cred_uid;
>  	kuid_t uid;
>  
>  	if (which > PRIO_USER || which < PRIO_PROCESS)
> @@ -280,25 +275,22 @@ SYSCALL_DEFINE2(getpriority, int, which, int, who)
>  			} while_each_pid_thread(pgrp, PIDTYPE_PGID, p);
>  			break;
>  		case PRIO_USER:
> -			cred_uid = make_kuid(cred->user_ns, cred->uid);
>  			uid = make_kuid(cred->user_ns, who);
>  			user = cred->user;
>  			if (!who)
> -				uid = cred_uid;
> -			else if (!uid_eq(uid, cred_uid) &&
> +				uid = cred->uid;
> +			else if (!uid_eq(uid, cred->uid) &&
>  				 !(user = find_user(uid)))
>  				goto out_unlock;	/* No processes for this user */
>  
>  			do_each_thread(g, p) {
> -				const struct cred *tcred = __task_cred(p);
> -				kuid_t tcred_uid = make_kuid(tcred->user_ns, tcred->uid);
> -				if (uid_eq(tcred_uid, uid)) {
> +				if (uid_eq(task_uid(p), uid)) {
>  					niceval = 20 - task_nice(p);
>  					if (niceval > retval)
>  						retval = niceval;
>  				}
>  			} while_each_thread(g, p);
> -			if (!uid_eq(uid, cred_uid))
> +			if (!uid_eq(uid, cred->uid))
>  				free_uid(user);		/* for find_user() */
>  			break;
>  	}
> @@ -641,7 +633,7 @@ static int set_user(struct cred *new)
>  {
>  	struct user_struct *new_user;
>  
> -	new_user = alloc_uid(make_kuid(new->user_ns, new->uid));
> +	new_user = alloc_uid(new->uid);
>  	if (!new_user)
>  		return -EAGAIN;
>  
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 9991bac..0683dbf 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -36,8 +36,8 @@ static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid,
>  int create_user_ns(struct cred *new)
>  {
>  	struct user_namespace *ns, *parent_ns = new->user_ns;
> -	kuid_t owner = make_kuid(new->user_ns, new->euid);
> -	kgid_t group = make_kgid(new->user_ns, new->egid);
> +	kuid_t owner = new->euid;
> +	kgid_t group = new->egid;
>  
>  	/* The creator needs a mapping in the parent user namespace
>  	 * or else we won't be able to reasonably tell userspace who
> diff --git a/mm/oom_kill.c b/mm/oom_kill.c
> index 46bf2ed5..9f09a1f 100644
> --- a/mm/oom_kill.c
> +++ b/mm/oom_kill.c
> @@ -410,8 +410,8 @@ static void dump_tasks(const struct mem_cgroup *memcg, const nodemask_t *nodemas
>  		}
>  
>  		pr_info("[%5d] %5d %5d %8lu %8lu %3u     %3d         %5d %s\n",
> -			task->pid, task_uid(task), task->tgid,
> -			task->mm->total_vm, get_mm_rss(task->mm),
> +			task->pid, from_kuid(&init_user_ns, task_uid(task)),
> +			task->tgid, task->mm->total_vm, get_mm_rss(task->mm),
>  			task_cpu(task), task->signal->oom_adj,
>  			task->signal->oom_score_adj, task->comm);
>  		task_unlock(task);
> diff --git a/security/commoncap.c b/security/commoncap.c
> index f2399d8..dbd465a 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -77,8 +77,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
>  {
>  	for (;;) {
>  		/* The owner of the user namespace has all caps. */
> -		if (targ_ns != &init_user_ns && uid_eq(targ_ns->owner,
> -						       make_kuid(cred->user_ns, cred->euid)))
> +		if (targ_ns != &init_user_ns && uid_eq(targ_ns->owner, cred->euid))
>  			return 0;
>  
>  		/* Do we have the necessary capabilities? */
> -- 
> 1.7.2.5
> 
> _______________________________________________
> Containers mailing list
> Containers@...ts.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ