[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190708192801.GG19023@42.do-not-panic.com>
Date: Mon, 8 Jul 2019 19:28:01 +0000
From: Luis Chamberlain <mcgrof@...nel.org>
To: Radoslaw Burny <rburny@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>
Cc: Kees Cook <keescook@...omium.org>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Seth Forshee <seth.forshee@...onical.com>,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
jsperbeck@...gle.com, stable@...r.kernel.org
Subject: Re: [PATCH v3] fs: Fix the default values of i_uid/i_gid on
/proc/sys inodes.
On Mon, Jul 08, 2019 at 01:51:30PM +0200, Radoslaw Burny wrote:
> fs: Fix the default values of i_uid/i_gid on /proc/sys inodes.
> Normally, the inode's i_uid/i_gid are translated relative to s_user_ns,
> but this is not a correct behavior for proc. Since sysctl permission
> check in test_perm is done against GLOBAL_ROOT_[UG]ID, it makes more
> sense to use these values in u_[ug]id of proc inodes.
> In other words: although uid/gid in the inode is not read during
> test_perm, the inode logically belongs to the root of the namespace.
> I have confirmed this with Eric Biederman at LPC and in this thread:
> https://lore.kernel.org/lkml/87k1kzjdff.fsf@xmission.com
>
> Consequences
> ============
> Since the i_[ug]id values of proc nodes are not used for permissions
> checks, this change usually makes no functional difference. However, it
> causes an issue in a setup where:
> * a namespace container is created without root user in container -
> hence the i_[ug]id of proc nodes are set to INVALID_[UG]ID
> * container creator tries to configure it by writing /proc/sys files,
> e.g. writing /proc/sys/kernel/shmmax to configure shared memory limit
> Kernel does not allow to open an inode for writing if its i_[ug]id are
> invalid, making it impossible to write shmmax and thus - configure the
> container.
> Using a container with no root mapping is apparently rare, but we do use
> this configuration at Google. Also, we use a generic tool to configure
> the container limits, and the inability to write any of them causes a
> failure.
>
> History
> =======
> The invalid uids/gids in inodes first appeared due to 81754357770e (fs:
> Update i_[ug]id_(read|write) to translate relative to s_user_ns).
> However, AFAIK, this did not immediately cause any issues.
> The inability to write to these "invalid" inodes was only caused by a
> later commit 0bd23d09b874 (vfs: Don't modify inodes with a uid or gid
> unknown to the vfs).
>
> Tested: Used a repro program that creates a user namespace without any
> mapping and stat'ed /proc/$PID/root/proc/sys/kernel/shmmax from outside.
> Before the change, it shows the overflow uid, with the change it's 0.
> The overflow uid indicates that the uid in the inode is not correct and
> thus it is not possible to open the file for writing.
>
> Fixes: 0bd23d09b874 ("vfs: Don't modify inodes with a uid or gid unknown to the vfs")
> Cc: stable@...r.kernel.org # v4.8+
> Signed-off-by: Radoslaw Burny <rburny@...gle.com>
Acked-by: Luis Chamberlain <mcgrof@...nel.org>
Andrew,
When you get a chance, can you pick this one up on your tree? This was
an old patch that just fell through the cracks, but fortuntely Radoslaw
followed through with an updated commit message. This affects only a
small crowd, however it is a proper fix.
Luis
> ---
> Changelog since v1:
> - Updated the commit title and description.
>
> fs/proc/proc_sysctl.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index c74570736b24..36ad1b0d6259 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -499,6 +499,10 @@ static struct inode *proc_sys_make_inode(struct super_block *sb,
>
> if (root->set_ownership)
> root->set_ownership(head, table, &inode->i_uid, &inode->i_gid);
> + else {
> + inode->i_uid = GLOBAL_ROOT_UID;
> + inode->i_gid = GLOBAL_ROOT_GID;
> + }
>
> return inode;
> }
> --
> 2.22.0.410.gd8fdbe21b5-goog
>
Powered by blists - more mailing lists