[PATCH 30/43] userns: Fail exec for suid and sgid binaries with ids outside our user namespace.
Serge E. Hallyn
serge at hallyn.com
Wed Apr 18 19:09:27 UTC 2012
Quoting Eric W. Beiderman (ebiederm at xmission.com):
> From: Eric W. Biederman <ebiederm at xmission.com>
>
Oh, perhaps this is the right place in the thread to discuss the issue of
what to do with file capabilities? I'm ok waiting until the next iteration
to even discuss it, so long as we start by refusing setting of fcaps by
any task not in init_user_ns.
> Signed-off-by: Eric W. Biederman <ebiederm at xmission.com>
> ---
> fs/exec.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 00ae2ef..e001bdf 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1291,8 +1291,11 @@ int prepare_binprm(struct linux_binprm *bprm)
> if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
> /* Set-uid? */
> if (mode & S_ISUID) {
> + if (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid))
> + return -EPERM;
> bprm->per_clear |= PER_CLEAR_ON_SETID;
> bprm->cred->euid = inode->i_uid;
> +
> }
>
> /* Set-gid? */
> @@ -1302,6 +1305,8 @@ int prepare_binprm(struct linux_binprm *bprm)
> * executable.
> */
> if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
> + if (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid))
> + return -EPERM;
> bprm->per_clear |= PER_CLEAR_ON_SETID;
> bprm->cred->egid = inode->i_gid;
> }
> --
> 1.7.2.5
>
> _______________________________________________
> Containers mailing list
> Containers at lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers
More information about the Containers
mailing list