lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200219023343.GC19144@mail.hallyn.com>
Date:   Tue, 18 Feb 2020 20:33:43 -0600
From:   "Serge E. Hallyn" <serge@...lyn.com>
To:     Christian Brauner <christian.brauner@...ntu.com>
Cc:     Stéphane Graber <stgraber@...ntu.com>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Aleksa Sarai <cyphar@...har.com>, Jann Horn <jannh@...gle.com>,
        smbarber@...omium.org, Seth Forshee <seth.forshee@...onical.com>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Alexey Dobriyan <adobriyan@...il.com>,
        Serge Hallyn <serge@...lyn.com>,
        James Morris <jmorris@...ei.org>,
        Kees Cook <keescook@...omium.org>,
        Jonathan Corbet <corbet@....net>,
        Phil Estes <estesp@...il.com>, linux-kernel@...r.kernel.org,
        linux-fsdevel@...r.kernel.org,
        containers@...ts.linux-foundation.org,
        linux-security-module@...r.kernel.org, linux-api@...r.kernel.org
Subject: Re: [PATCH v3 03/25] proc: add /proc/<pid>/fsgid_map

On Tue, Feb 18, 2020 at 03:33:49PM +0100, Christian Brauner wrote:
> The /proc/<pid>/fsgid_map file can be written once to setup an fsgid mapping
> for a user namespace. Writing to this file has the same restrictions as writing
> to /proc/<pid>/fsgid_map.
> 
> root@...vm:/# cat /proc/13023/fsgid_map
>          0     300000     100000
> 
> Fsid mappings have always been around. They are currently always identical to
> the id mappings for a user namespace. This means, currently whenever an fsid
> needs to be looked up the kernel will use the id mapping of the user namespace.
> With the introduction of fsid mappings the kernel will now lookup fsids in the
> fsid mappings of the user namespace. If no fsid mapping exists the kernel will
> continue looking up fsids in the id mappings of the user namespace. Hence, if a
> system supports fsid mappings through /proc/<pid>/fs*id_map and a container
> runtime is not aware of fsid mappings it or does not use them it will it will
> continue to work just as before.
> 
> Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>

Acked-by: Serge Hallyn <serge@...lyn.com>

> ---
> /* v2 */
> unchanged
> 
> /* v3 */
> - Christian Brauner <christian.brauner@...ntu.com>:
>   - Fix grammar in commit message.
> ---
>  fs/proc/base.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 5fb28004663e..1303cdd2e617 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2975,6 +2975,11 @@ static int proc_fsuid_map_open(struct inode *inode, struct file *file)
>  {
>  	return proc_id_map_open(inode, file, &proc_fsuid_seq_operations);
>  }
> +
> +static int proc_fsgid_map_open(struct inode *inode, struct file *file)
> +{
> +	return proc_id_map_open(inode, file, &proc_fsgid_seq_operations);
> +}
>  #endif
>  
>  static const struct file_operations proc_uid_map_operations = {
> @@ -3009,6 +3014,14 @@ static const struct file_operations proc_fsuid_map_operations = {
>  	.llseek		= seq_lseek,
>  	.release	= proc_id_map_release,
>  };
> +
> +static const struct file_operations proc_fsgid_map_operations = {
> +	.open		= proc_fsgid_map_open,
> +	.write		= proc_fsgid_map_write,
> +	.read		= seq_read,
> +	.llseek		= seq_lseek,
> +	.release	= proc_id_map_release,
> +};
>  #endif
>  
>  static int proc_setgroups_open(struct inode *inode, struct file *file)
> @@ -3195,6 +3208,7 @@ static const struct pid_entry tgid_base_stuff[] = {
>  #ifdef CONFIG_USER_NS
>  #ifdef CONFIG_USER_NS_FSID
>  	REG("fsuid_map",  S_IRUGO|S_IWUSR, proc_fsuid_map_operations),
> +	REG("fsgid_map",  S_IRUGO|S_IWUSR, proc_fsgid_map_operations),
>  #endif
>  	REG("uid_map",    S_IRUGO|S_IWUSR, proc_uid_map_operations),
>  	REG("gid_map",    S_IRUGO|S_IWUSR, proc_gid_map_operations),
> -- 
> 2.25.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ