| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jun 2016 23:29:20 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Jann Horn <jannh@...gle.com>
Cc: Mike Marshall <hubcap@...ibond.com>, linux-kernel@...r.kernel.org,
Alexander Viro <viro@...iv.linux.org.uk>,
linux-fsdevel@...r.kernel.org, jann@...jh.net
Subject: Re: [PATCH] orangefs: fix namespace handling
Jann Horn <jannh@...gle.com> writes:
> diff --git a/fs/orangefs/devorangefs-req.c b/fs/orangefs/devorangefs-req.c
> index db170be..a287a66 100644
> --- a/fs/orangefs/devorangefs-req.c
> +++ b/fs/orangefs/devorangefs-req.c
> @@ -116,6 +116,13 @@ static int orangefs_devreq_open(struct inode *inode, struct file *file)
> {
> int ret = -EINVAL;
>
> + /* in order to ensure that the filesystem driver sees correct UIDs */
> + if (file->f_cred->user_ns != &init_user_ns) {
> + gossip_err("%s: device cannot be opened outside init_user_ns\n",
> + __func__);
> + goto out;
> + }
> +
Not necessarily in this patch but the code should also verify that the
opener is also in the initial pid namespace as pids are transferred in
the upcalls as well.
> if (!(file->f_flags & O_NONBLOCK)) {
> gossip_err("%s: device cannot be opened in blocking mode\n",
> __func__);
Eric
Powered by blists - more mailing lists