| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200219023333.GB19144@mail.hallyn.com>
Date: Tue, 18 Feb 2020 20:33:33 -0600
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Christian Brauner <christian.brauner@...ntu.com>
Cc: Stéphane Graber <stgraber@...ntu.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Aleksa Sarai <cyphar@...har.com>, Jann Horn <jannh@...gle.com>,
smbarber@...omium.org, Seth Forshee <seth.forshee@...onical.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Alexey Dobriyan <adobriyan@...il.com>,
Serge Hallyn <serge@...lyn.com>,
James Morris <jmorris@...ei.org>,
Kees Cook <keescook@...omium.org>,
Jonathan Corbet <corbet@....net>,
Phil Estes <estesp@...il.com>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
containers@...ts.linux-foundation.org,
linux-security-module@...r.kernel.org, linux-api@...r.kernel.org
Subject: Re: [PATCH v3 02/25] proc: add /proc/<pid>/fsuid_map
On Tue, Feb 18, 2020 at 03:33:48PM +0100, Christian Brauner wrote:
> The /proc/<pid>/fsuid_map file can be written once to setup an fsuid mapping
> for a user namespace. Writing to this file has the same restrictions as writing
> to /proc/<pid>/fsuid_map:
>
> root@...vm:/# cat /proc/13023/fsuid_map
> 0 300000 100000
>
> Fsid mappings have always been around. They are currently always identical to
> the id mappings for a user namespace. This means, currently whenever an fsid
> needs to be looked up the kernel will use the id mapping of the user namespace.
> With the introduction of fsid mappings the kernel will now lookup fsids in the
> fsid mappings of the user namespace. If no fsid mapping exists the kernel will
> continue looking up fsids in the id mappings of the user namespace. Hence, if a
> system supports fsid mappings through /proc/<pid>/fs*id_map and a container
> runtime is not aware of fsid mappings it or does not use them it will it will
> continue to work just as before.
>
> Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>
Acked-by: Serge Hallyn <serge@...lyn.com>
> ---
> /* v2 */
> unchanged
>
> /* v3 */
> - Christian Brauner <christian.brauner@...ntu.com>:
> - Fix grammar in commit message.
> ---
> fs/proc/base.c | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index c7c64272b0fa..5fb28004663e 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2970,6 +2970,13 @@ static int proc_projid_map_open(struct inode *inode, struct file *file)
> return proc_id_map_open(inode, file, &proc_projid_seq_operations);
> }
>
> +#ifdef CONFIG_USER_NS_FSID
> +static int proc_fsuid_map_open(struct inode *inode, struct file *file)
> +{
> + return proc_id_map_open(inode, file, &proc_fsuid_seq_operations);
> +}
> +#endif
> +
> static const struct file_operations proc_uid_map_operations = {
> .open = proc_uid_map_open,
> .write = proc_uid_map_write,
> @@ -2994,6 +3001,16 @@ static const struct file_operations proc_projid_map_operations = {
> .release = proc_id_map_release,
> };
>
> +#ifdef CONFIG_USER_NS_FSID
> +static const struct file_operations proc_fsuid_map_operations = {
> + .open = proc_fsuid_map_open,
> + .write = proc_fsuid_map_write,
> + .read = seq_read,
> + .llseek = seq_lseek,
> + .release = proc_id_map_release,
> +};
> +#endif
> +
> static int proc_setgroups_open(struct inode *inode, struct file *file)
> {
> struct user_namespace *ns = NULL;
> @@ -3176,6 +3193,9 @@ static const struct pid_entry tgid_base_stuff[] = {
> ONE("io", S_IRUSR, proc_tgid_io_accounting),
> #endif
> #ifdef CONFIG_USER_NS
> +#ifdef CONFIG_USER_NS_FSID
> + REG("fsuid_map", S_IRUGO|S_IWUSR, proc_fsuid_map_operations),
> +#endif
> REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
> REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
> REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations),
> --
> 2.25.0
Powered by blists - more mailing lists