lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Feb 2022 10:05:26 +0900 From: "Masami Ichikawa(CIP)" <masami.ichikawa@...ertrust.co.jp> To: Michal Koutný <mkoutny@...e.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Masami Ichikawa <masami.ichikawa@...ertrust.co.jp>, Tabitha Sable <tabitha.c.sable@...il.com>, Tejun Heo <tj@...nel.org>, Zefan Li <lizefan.x@...edance.com>, Johannes Weiner <hannes@...xchg.org>, stable@...r.kernel.org, cgroups@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] cgroup-v1: Correct privileges check in release_agent writes On Fri, Feb 18, 2022 at 1:11 AM Michal Koutný <mkoutny@...e.com> wrote: > > The idea is to check: a) the owning user_ns of cgroup_ns, b) > capabilities in init_user_ns. > > The commit 24f600856418 ("cgroup-v1: Require capabilities to set > release_agent") got this wrong in the write handler of release_agent > since it checked user_ns of the opener (may be different from the owning > user_ns of cgroup_ns). > Secondly, to avoid possibly confused deputy, the capability of the > opener must be checked. > > Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent") > Cc: stable@...r.kernel.org > Link: https://lore.kernel.org/stable/20220216121142.GB30035@blackbody.suse.cz/ > Signed-off-by: Michal Koutný <mkoutny@...e.com> > --- > kernel/cgroup/cgroup-v1.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c > index 0e877dbcfeea..afc6c0e9c966 100644 > --- a/kernel/cgroup/cgroup-v1.c > +++ b/kernel/cgroup/cgroup-v1.c > @@ -546,6 +546,7 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, > char *buf, size_t nbytes, loff_t off) > { > struct cgroup *cgrp; > + struct cgroup_file_ctx *ctx; > > BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); > > @@ -553,8 +554,9 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, > * Release agent gets called with all capabilities, > * require capabilities to set release agent. > */ > - if ((of->file->f_cred->user_ns != &init_user_ns) || > - !capable(CAP_SYS_ADMIN)) > + ctx = of->priv; > + if ((ctx->ns->user_ns != &init_user_ns) || > + !file_ns_capable(of->file, &init_user_ns, CAP_SYS_ADMIN)) > return -EPERM; > > cgrp = cgroup_kn_lock_live(of->kn, false); > -- > 2.34.1 Thank you. Looks good to me. Reviewed-by: Masami Ichikawa(CIP) <masami.ichikawa@...ertrust.co.jp>
Powered by blists - more mailing lists