lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <fd99f5e7144be5de87c88e069cd5edb36136eefd.1457931898.git.luto@kernel.org>
Date:	Sun, 13 Mar 2016 22:06:15 -0700
From:	Andy Lutomirski <luto@...nel.org>
To:	Linux FS Devel <linux-fsdevel@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	gnome-os-list@...me.org,
	James Bottomley <James.Bottomley@...senpartnership.com>,
	Andy Lutomirski <luto@...nel.org>,
	Alexander Larsson <alexl@...hat.com>, mclasen@...hat.com,
	Linux Containers <containers@...ts.linux-foundation.org>
Subject: [PATCH] devpts: Make ptmx be owned by the userns owner instead of userns-local 0

We used to have ptmx be owned by the inner uid and gid 0.  Change
this: if the owner and group are both mapped but are not both 0,
then use the owner instead.

For container-style namespaces (LXC, etc), this should have no
effect -- UID 0 is will either be the owner or will be unmapped.

The important behavior change is for sandboxes: many sandboxes
intentionally do not create an inner uid 0.  Without this patch,
mounting devpts in such a sandbox is awkward.  With this patch, it
will just work and ptmx will be owned by the namespace owner.

Cc: Alexander Larsson <alexl@...hat.com>
Cc: mclasen@...hat.com
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Linux Containers <containers@...ts.linux-foundation.org>
Signed-off-by: Andy Lutomirski <luto@...nel.org>
---
 fs/devpts/inode.c | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 655f21f99160..d6fa2d1beee3 100644
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -27,6 +27,7 @@
 #include <linux/parser.h>
 #include <linux/fsnotify.h>
 #include <linux/seq_file.h>
+#include <linux/user_namespace.h>
 
 #define DEVPTS_DEFAULT_MODE 0600
 /*
@@ -250,10 +251,35 @@ static int mknod_ptmx(struct super_block *sb)
 	kuid_t root_uid;
 	kgid_t root_gid;
 
-	root_uid = make_kuid(current_user_ns(), 0);
-	root_gid = make_kgid(current_user_ns(), 0);
-	if (!uid_valid(root_uid) || !gid_valid(root_gid))
-		return -EINVAL;
+	/*
+	 * For a new devpts instance, ptmx is owned by the creating user
+	 * namespace's owner.  Usually, that will be 0 as seen by the
+	 * user namespace, but for unprivileged sandbox namespaces,
+	 * there may not be a uid 0 or gid 0 at all.
+	 */
+	root_uid = current_user_ns()->owner;
+	root_gid = current_user_ns()->group;
+
+	if (!uid_valid(root_uid) || !gid_valid(root_gid)) {
+		/*
+		 * It's very unlikely for us to get here if the userns
+		 * owner is not mapped, but it's possible -- we'd have
+		 * to be running in the userns with capabilities granted
+		 * by unshare or setns, since there is no inner
+		 * privileged user.  Nonetheless, this could happen, and
+		 * we don't want ptmx to be owned by an unmapped user or
+		 * group.
+		 *
+		 * If this happens fall back to historical behavior:
+		 * try to have ptmx be owned by 0:0.
+		 */
+		root_uid = make_kuid(current_user_ns(), 0);
+		root_gid = make_kgid(current_user_ns(), 0);
+
+		/* If this still doesn't work, give up. */
+		if (!uid_valid(root_uid) || !gid_valid(root_gid))
+			return -EINVAL;
+	}
 
 	inode_lock(d_inode(root));
 
-- 
2.5.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ