lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 May 2017 18:21:12 +0300 From: Kirill Tkhai <ktkhai@...tuozzo.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> CC: <mhocko@...e.com>, <avagin@...nvz.org>, <skinsbursky@...tuozzo.com>, <oleg@...hat.com>, <linux-kernel@...r.kernel.org>, <gorcunov@...nvz.org>, <akpm@...ux-foundation.org>, <ptikhomirov@...tuozzo.com>, <serge@...lyn.com> Subject: Re: [PATCH] prctl: Allow local CAP_SYS_ADMIN changing exe_file On 12.05.2017 17:56, Eric W. Biederman wrote: > Kirill Tkhai <ktkhai@...tuozzo.com> writes: > >> During checkpointing and restore of userspace tasks >> we bumped into the situation, that it's not possible >> to restore the tasks, which user namespace does not >> have uid 0 or gid 0 mapped. >> >> People create user namespace mappings like they want, >> and there is no a limitation on obligatory uid and gid >> "must be mapped". So, if there is no uid 0 or gid 0 >> in the mapping, it's impossible to restore mm->exe_file >> of the processes belonging to this user namespace. >> >> Also, there is no a workaround. It's impossible >> to create a temporary uid/gid mapping, because >> only one write to /proc/[pid]/uid_map and gid_map >> is allowed during a namespace lifetime. >> If there is an entry, then no more mapings can't be >> written. If there isn't an entry, we can't write >> there too, otherwise user task won't be able >> to do that in the future. >> >> The patch changes the check, and looks for CAP_SYS_ADMIN >> instead of zero uid and gid. This allows to restore >> a task independently of its user namespace mappings. > > Applied thanks. Testing against 0 in the modern kernel is perhaps the > most bizarre permisssion check I have seen lately. Thank you, Eric! >> >> Signed-off-by: Kirill Tkhai <ktkhai@...tuozzo.com> >> CC: Andrew Morton <akpm@...ux-foundation.org> >> CC: Serge Hallyn <serge@...lyn.com> >> CC: "Eric W. Biederman" <ebiederm@...ssion.com> >> CC: Oleg Nesterov <oleg@...hat.com> >> CC: Michal Hocko <mhocko@...e.com> >> CC: Andrei Vagin <avagin@...nvz.org> >> CC: Cyrill Gorcunov <gorcunov@...nvz.org> >> CC: Stanislav Kinsburskiy <skinsbursky@...tuozzo.com> >> CC: Pavel Tikhomirov <ptikhomirov@...tuozzo.com> >> --- >> kernel/sys.c | 8 ++------ >> 1 file changed, 2 insertions(+), 6 deletions(-) >> >> diff --git a/kernel/sys.c b/kernel/sys.c >> index 8a94b4eabcaa..7c6d78148fa0 100644 >> --- a/kernel/sys.c >> +++ b/kernel/sys.c >> @@ -1802,15 +1802,11 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map) >> >> /* >> * Finally, make sure the caller has the rights to >> - * change /proc/pid/exe link: only local root should >> + * change /proc/pid/exe link: only local sys admin should >> * be allowed to. >> */ >> if (prctl_map->exe_fd != (u32)-1) { >> - struct user_namespace *ns = current_user_ns(); >> - const struct cred *cred = current_cred(); >> - >> - if (!uid_eq(cred->uid, make_kuid(ns, 0)) || >> - !gid_eq(cred->gid, make_kgid(ns, 0))) >> + if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN)) >> goto out; >> } >>
Powered by blists - more mailing lists