[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200214183554.1133805-7-christian.brauner@ubuntu.com>
Date: Fri, 14 Feb 2020 19:35:32 +0100
From: Christian Brauner <christian.brauner@...ntu.com>
To: Stéphane Graber <stgraber@...ntu.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Aleksa Sarai <cyphar@...har.com>, Jann Horn <jannh@...gle.com>
Cc: smbarber@...omium.org, Seth Forshee <seth.forshee@...onical.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Alexey Dobriyan <adobriyan@...il.com>,
Serge Hallyn <serge@...lyn.com>,
James Morris <jmorris@...ei.org>,
Kees Cook <keescook@...omium.org>,
Jonathan Corbet <corbet@....net>,
Phil Estes <estesp@...il.com>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
containers@...ts.linux-foundation.org,
linux-security-module@...r.kernel.org, linux-api@...r.kernel.org,
Christian Brauner <christian.brauner@...ntu.com>
Subject: [PATCH v2 06/28] cred: add kfs{g,u}id
After the introduction of fsid mappings we need to carefully handle
single-superblock filesystems that are visible in user namespaces. This
specifically concerns proc and sysfs. For those filesystems we want to continue
looking up fsid in the id mappings of the relevant user namespace. We can
either do this by dynamically translating between these fsids or we simply keep
them around with the other creds. The latter option is not just simpler but
also more performant since we don't need to do the translation from fsid
mappings into id mappings on the fly.
Link: https://lore.kernel.org/r/20200212145149.zohmc6d3x52bw6j6@wittgenstein
Cc: Jann Horn <jannh@...gle.com>
Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>
---
/* v2 */
patch added
---
include/linux/cred.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 18639c069263..604914d3fd51 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -125,6 +125,8 @@ struct cred {
kgid_t egid; /* effective GID of the task */
kuid_t fsuid; /* UID for VFS ops */
kgid_t fsgid; /* GID for VFS ops */
+ kuid_t kfsuid; /* UID for VFS ops for userns visible filesystems */
+ kgid_t kfsgid; /* GID for VFS ops for userns visible filesystems */
unsigned securebits; /* SUID-less security management */
kernel_cap_t cap_inheritable; /* caps our children can inherit */
kernel_cap_t cap_permitted; /* caps we're permitted */
@@ -384,6 +386,8 @@ static inline void put_cred(const struct cred *_cred)
#define current_sgid() (current_cred_xxx(sgid))
#define current_fsuid() (current_cred_xxx(fsuid))
#define current_fsgid() (current_cred_xxx(fsgid))
+#define current_kfsuid() (current_cred_xxx(kfsuid))
+#define current_kfsgid() (current_cred_xxx(kfsgid))
#define current_cap() (current_cred_xxx(cap_effective))
#define current_user() (current_cred_xxx(user))
--
2.25.0
Powered by blists - more mailing lists