lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 12 May 2017 18:21:12 +0300
From:   Kirill Tkhai <ktkhai@...tuozzo.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>
CC:     <mhocko@...e.com>, <avagin@...nvz.org>,
        <skinsbursky@...tuozzo.com>, <oleg@...hat.com>,
        <linux-kernel@...r.kernel.org>, <gorcunov@...nvz.org>,
        <akpm@...ux-foundation.org>, <ptikhomirov@...tuozzo.com>,
        <serge@...lyn.com>
Subject: Re: [PATCH] prctl: Allow local CAP_SYS_ADMIN changing exe_file

On 12.05.2017 17:56, Eric W. Biederman wrote:
> Kirill Tkhai <ktkhai@...tuozzo.com> writes:
> 
>> During checkpointing and restore of userspace tasks
>> we bumped into the situation, that it's not possible
>> to restore the tasks, which user namespace does not
>> have uid 0 or gid 0 mapped.
>>
>> People create user namespace mappings like they want,
>> and there is no a limitation on obligatory uid and gid
>> "must be mapped". So, if there is no uid 0 or gid 0
>> in the mapping, it's impossible to restore mm->exe_file
>> of the processes belonging to this user namespace.
>>
>> Also, there is no a workaround. It's impossible
>> to create a temporary uid/gid mapping, because
>> only one write to /proc/[pid]/uid_map and gid_map
>> is allowed during a namespace lifetime.
>> If there is an entry, then no more mapings can't be
>> written. If there isn't an entry, we can't write
>> there too, otherwise user task won't be able
>> to do that in the future.
>>
>> The patch changes the check, and looks for CAP_SYS_ADMIN
>> instead of zero uid and gid. This allows to restore
>> a task independently of its user namespace mappings.
> 
> Applied thanks.  Testing against 0 in the modern kernel is perhaps the
> most bizarre permisssion check I have seen lately.

Thank you, Eric!

>>
>> Signed-off-by: Kirill Tkhai <ktkhai@...tuozzo.com>
>> CC: Andrew Morton <akpm@...ux-foundation.org>
>> CC: Serge Hallyn <serge@...lyn.com>
>> CC: "Eric W. Biederman" <ebiederm@...ssion.com>
>> CC: Oleg Nesterov <oleg@...hat.com>
>> CC: Michal Hocko <mhocko@...e.com>
>> CC: Andrei Vagin <avagin@...nvz.org>
>> CC: Cyrill Gorcunov <gorcunov@...nvz.org>
>> CC: Stanislav Kinsburskiy <skinsbursky@...tuozzo.com>
>> CC: Pavel Tikhomirov <ptikhomirov@...tuozzo.com>
>> ---
>>  kernel/sys.c |    8 ++------
>>  1 file changed, 2 insertions(+), 6 deletions(-)
>>
>> diff --git a/kernel/sys.c b/kernel/sys.c
>> index 8a94b4eabcaa..7c6d78148fa0 100644
>> --- a/kernel/sys.c
>> +++ b/kernel/sys.c
>> @@ -1802,15 +1802,11 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map)
>>  
>>  	/*
>>  	 * Finally, make sure the caller has the rights to
>> -	 * change /proc/pid/exe link: only local root should
>> +	 * change /proc/pid/exe link: only local sys admin should
>>  	 * be allowed to.
>>  	 */
>>  	if (prctl_map->exe_fd != (u32)-1) {
>> -		struct user_namespace *ns = current_user_ns();
>> -		const struct cred *cred = current_cred();
>> -
>> -		if (!uid_eq(cred->uid, make_kuid(ns, 0)) ||
>> -		    !gid_eq(cred->gid, make_kgid(ns, 0)))
>> +		if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN))
>>  			goto out;
>>  	}
>>  

Powered by blists - more mailing lists