lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <54e6b6b1b430537748a7136e854923498443f78a.1657642613.git.legion@kernel.org>
Date:   Tue, 12 Jul 2022 18:17:38 +0200
From:   Alexey Gladkov <legion@...nel.org>
To:     LKML <linux-kernel@...r.kernel.org>,
        Linux Containers <containers@...ts.linux.dev>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Christian Brauner <brauner@...nel.org>,
        "Eric W . Biederman" <ebiederm@...ssion.com>,
        Kees Cook <keescook@...omium.org>,
        Manfred Spraul <manfred@...orfullife.com>
Subject: [PATCH v1] sysctl: Allow change system v ipc sysctls inside ipc namespace

Rootless containers are not allowed to modify kernel IPC parameters such
as kernel.msgmnb.

It seems to me that we can allow customization of these parameters if
the user has CAP_SYS_RESOURCE in that ipc namespace.

CAP_SYS_RESOURCE is already needed in order to overcome mqueue limits
(msg_max and msgsize_max).

Signed-off-by: Alexey Gladkov <legion@...nel.org>
---
 ipc/ipc_sysctl.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
index ef313ecfb53a..e79452867720 100644
--- a/ipc/ipc_sysctl.c
+++ b/ipc/ipc_sysctl.c
@@ -193,16 +193,19 @@ static int set_is_seen(struct ctl_table_set *set)
 static int ipc_permissions(struct ctl_table_header *head, struct ctl_table *table)
 {
 	int mode = table->mode;
-
-#ifdef CONFIG_CHECKPOINT_RESTORE
 	struct ipc_namespace *ns = current->nsproxy->ipc_ns;
 
+#ifdef CONFIG_CHECKPOINT_RESTORE
 	if (((table->data == &ns->ids[IPC_SEM_IDS].next_id) ||
 	     (table->data == &ns->ids[IPC_MSG_IDS].next_id) ||
 	     (table->data == &ns->ids[IPC_SHM_IDS].next_id)) &&
 	    checkpoint_restore_ns_capable(ns->user_ns))
 		mode = 0666;
+	else
 #endif
+	if (ns_capable(ns->user_ns, CAP_SYS_RESOURCE))
+		mode = 0666;
+
 	return mode;
 }
 
-- 
2.33.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ