| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87a92xn2io.fsf@x220.int.ebiederm.org> Date: Mon, 08 Dec 2014 17:30:07 -0600 From: ebiederm@...ssion.com (Eric W. Biederman) To: Andy Lutomirski <luto@...capital.net> Cc: Linux Containers <containers@...ts.linux-foundation.org>, Josh Triplett <josh@...htriplett.org>, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Michael Kerrisk-manpages <mtk.manpages@...il.com>, Linux API <linux-api@...r.kernel.org>, linux-man <linux-man@...r.kernel.org>, "linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>, LSM <linux-security-module@...r.kernel.org>, Casey Schaufler <casey@...aufler-ca.com>, "Serge E. Hallyn" <serge@...lyn.com>, Richard Weinberger <richard@....at>, Kenton Varda <kenton@...dstorm.io>, stable <stable@...r.kernel.org> Subject: Re: [CFT][PATCH 6/7] userns: Add a knob to disable setgroups on a per user namespace basis Andy Lutomirski <luto@...capital.net> writes: > On Mon, Dec 8, 2014 at 2:44 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: >> Andy Lutomirski <luto@...capital.net> writes: >> >>> On Mon, Dec 8, 2014 at 2:11 PM, Eric W. Biederman <ebiederm@...ssion.com> wrote: >>>> >>>> - Expose the knob to user space through a proc file /proc/<pid>/setgroups >>>> >>>> A value of 0 means the setgroups system call is disabled in the >>> >>> "deny" >>> >>>> current processes user namespace and can not be enabled in the >>>> future in this user namespace. >>>> >>>> A value of 1 means the segtoups system call is enabled. >>>> >>> >>> "allow" >>> >>>> - Descedent user namespaces inherit the value of setgroups from >>> >>> s/Descedent/Descendent/ >> >> Bah. I updated everything but the changelog comment. >> >>>> --- a/kernel/groups.c >>>> +++ b/kernel/groups.c >>>> @@ -222,6 +222,7 @@ bool may_setgroups(void) >>>> * the user namespace has been established. >>>> */ >>>> return userns_gid_mappings_established(user_ns) && >>>> + userns_setgroups_allowed(user_ns) && >>>> ns_capable(user_ns, CAP_SETGID); >>>> } >>> >>> Can you add a comment explaining the ordering? For example: >> >> I need to think on what I can say to make it clear. >> Perhaps: /* Careful the order of these checks is important. */ >> >>> We need to check for a gid mapping before checking setgroups_allowed >>> because an unprivileged user can create a userns with setgroups >>> allowed, then disallow setgroups and add a mapping. If we check in >>> the opposite order, then we have a race: we could see that setgroups >>> is allowed before the user clears the bit and then see that there is a >>> gid mapping after the other thread is done. >> > > This text was actually my suggested comment text. Now I see. > If you put smp_rmb() in this function with a comment like that, then I > think it will all make sense and be obviously correct (even with most > of the other barriers removed). Right. Given that we have to be careful when using these things anyway what I was hoping to achieve with the barriers appears impossible, and confusing so I will see about just adding barriers where we need them for real. Sigh. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists