| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Feb 2020 15:33:49 +0100
From: Christian Brauner <christian.brauner@...ntu.com>
To: Stéphane Graber <stgraber@...ntu.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Aleksa Sarai <cyphar@...har.com>, Jann Horn <jannh@...gle.com>
Cc: smbarber@...omium.org, Seth Forshee <seth.forshee@...onical.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Alexey Dobriyan <adobriyan@...il.com>,
Serge Hallyn <serge@...lyn.com>,
James Morris <jmorris@...ei.org>,
Kees Cook <keescook@...omium.org>,
Jonathan Corbet <corbet@....net>,
Phil Estes <estesp@...il.com>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
containers@...ts.linux-foundation.org,
linux-security-module@...r.kernel.org, linux-api@...r.kernel.org,
Christian Brauner <christian.brauner@...ntu.com>
Subject: [PATCH v3 03/25] proc: add /proc/<pid>/fsgid_map
The /proc/<pid>/fsgid_map file can be written once to setup an fsgid mapping
for a user namespace. Writing to this file has the same restrictions as writing
to /proc/<pid>/fsgid_map.
root@...vm:/# cat /proc/13023/fsgid_map
0 300000 100000
Fsid mappings have always been around. They are currently always identical to
the id mappings for a user namespace. This means, currently whenever an fsid
needs to be looked up the kernel will use the id mapping of the user namespace.
With the introduction of fsid mappings the kernel will now lookup fsids in the
fsid mappings of the user namespace. If no fsid mapping exists the kernel will
continue looking up fsids in the id mappings of the user namespace. Hence, if a
system supports fsid mappings through /proc/<pid>/fs*id_map and a container
runtime is not aware of fsid mappings it or does not use them it will it will
continue to work just as before.
Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>
---
/* v2 */
unchanged
/* v3 */
- Christian Brauner <christian.brauner@...ntu.com>:
- Fix grammar in commit message.
---
fs/proc/base.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 5fb28004663e..1303cdd2e617 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2975,6 +2975,11 @@ static int proc_fsuid_map_open(struct inode *inode, struct file *file)
{
return proc_id_map_open(inode, file, &proc_fsuid_seq_operations);
}
+
+static int proc_fsgid_map_open(struct inode *inode, struct file *file)
+{
+ return proc_id_map_open(inode, file, &proc_fsgid_seq_operations);
+}
#endif
static const struct file_operations proc_uid_map_operations = {
@@ -3009,6 +3014,14 @@ static const struct file_operations proc_fsuid_map_operations = {
.llseek = seq_lseek,
.release = proc_id_map_release,
};
+
+static const struct file_operations proc_fsgid_map_operations = {
+ .open = proc_fsgid_map_open,
+ .write = proc_fsgid_map_write,
+ .read = seq_read,
+ .llseek = seq_lseek,
+ .release = proc_id_map_release,
+};
#endif
static int proc_setgroups_open(struct inode *inode, struct file *file)
@@ -3195,6 +3208,7 @@ static const struct pid_entry tgid_base_stuff[] = {
#ifdef CONFIG_USER_NS
#ifdef CONFIG_USER_NS_FSID
REG("fsuid_map", S_IRUGO|S_IWUSR, proc_fsuid_map_operations),
+ REG("fsgid_map", S_IRUGO|S_IWUSR, proc_fsgid_map_operations),
#endif
REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
--
2.25.0
Powered by blists - more mailing lists