| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YhUntajxL3YrDXXg@slm.duckdns.org>
Date: Tue, 22 Feb 2022 08:13:09 -1000
From: Tejun Heo <tj@...nel.org>
To: Michal Koutný <mkoutny@...e.com>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
Masami Ichikawa <masami.ichikawa@...ertrust.co.jp>,
Tabitha Sable <tabitha.c.sable@...il.com>,
Zefan Li <lizefan.x@...edance.com>,
Johannes Weiner <hannes@...xchg.org>, stable@...r.kernel.org,
cgroups@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cgroup-v1: Correct privileges check in release_agent
writes
On Thu, Feb 17, 2022 at 05:11:28PM +0100, Michal Koutný wrote:
> The idea is to check: a) the owning user_ns of cgroup_ns, b)
> capabilities in init_user_ns.
>
> The commit 24f600856418 ("cgroup-v1: Require capabilities to set
> release_agent") got this wrong in the write handler of release_agent
> since it checked user_ns of the opener (may be different from the owning
> user_ns of cgroup_ns).
> Secondly, to avoid possibly confused deputy, the capability of the
> opener must be checked.
>
> Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent")
> Cc: stable@...r.kernel.org
> Link: https://lore.kernel.org/stable/20220216121142.GB30035@blackbody.suse.cz/
> Signed-off-by: Michal Koutný <mkoutny@...e.com>
Applied to cgroup/for-5.17-fixes.
Thanks.
--
tejun
Powered by blists - more mailing lists