| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 08 Dec 2014 16:44:24 -0600 From: ebiederm@...ssion.com (Eric W. Biederman) To: Andy Lutomirski <luto@...capital.net> Cc: Linux Containers <containers@...ts.linux-foundation.org>, Josh Triplett <josh@...htriplett.org>, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Michael Kerrisk-manpages <mtk.manpages@...il.com>, Linux API <linux-api@...r.kernel.org>, linux-man <linux-man@...r.kernel.org>, "linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>, LSM <linux-security-module@...r.kernel.org>, Casey Schaufler <casey@...aufler-ca.com>, "Serge E. Hallyn" <serge@...lyn.com>, Richard Weinberger <richard@....at>, Kenton Varda <kenton@...dstorm.io>, stable <stable@...r.kernel.org> Subject: Re: [CFT][PATCH 6/7] userns: Add a knob to disable setgroups on a per user namespace basis Andy Lutomirski <luto@...capital.net> writes: > On Mon, Dec 8, 2014 at 2:11 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: >> >> - Expose the knob to user space through a proc file /proc/<pid>/setgroups >> >> A value of 0 means the setgroups system call is disabled in the > > "deny" > >> current processes user namespace and can not be enabled in the >> future in this user namespace. >> >> A value of 1 means the segtoups system call is enabled. >> > > "allow" > >> - Descedent user namespaces inherit the value of setgroups from > > s/Descedent/Descendent/ Bah. I updated everything but the changelog comment. >> --- a/kernel/groups.c >> +++ b/kernel/groups.c >> @@ -222,6 +222,7 @@ bool may_setgroups(void) >> * the user namespace has been established. >> */ >> return userns_gid_mappings_established(user_ns) && >> + userns_setgroups_allowed(user_ns) && >> ns_capable(user_ns, CAP_SETGID); >> } > > Can you add a comment explaining the ordering? For example: I need to think on what I can say to make it clear. Perhaps: /* Careful the order of these checks is important. */ > We need to check for a gid mapping before checking setgroups_allowed > because an unprivileged user can create a userns with setgroups > allowed, then disallow setgroups and add a mapping. If we check in > the opposite order, then we have a race: we could see that setgroups > is allowed before the user clears the bit and then see that there is a > gid mapping after the other thread is done. Since these are independent atomic variables yes that ordering issue seems to be the case. For me it was the natural ordering of the checks so I didn't even bother to think about what happens when you reorder them. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists