From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: [PATCH 27/43] userns: Use uid_eq gid_eq helpers when comparing kuids and kgids in the vfs Date: Thu, 26 Apr 2012 00:11:01 +0000 Message-ID: <20120426001101.GA10308@mail.hallyn.com> References: <1333862139-31737-27-git-send-email-ebiederm@xmission.com> <20120418190337.GE5186@mail.hallyn.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Eric W. Biederman" Cc: Linux Containers , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Al Viro , Cyrill Gorcunov , Andrew Morton , Linus Torvalds List-Id: containers.vger.kernel.org Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org): > "Serge E. Hallyn" writes: > > > Quoting Eric W. Beiderman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org): > >> From: Eric W. Biederman > >> > >> Signed-off-by: Eric W. Biederman > >> --- > >> fs/attr.c | 8 ++++---- > >> fs/exec.c | 10 +++++----- > >> fs/fcntl.c | 6 +++--- > >> fs/ioprio.c | 4 ++-- > >> fs/locks.c | 2 +- > >> fs/namei.c | 8 ++++---- > >> include/linux/quotaops.h | 4 ++-- > >> 7 files changed, 21 insertions(+), 21 deletions(-) > >> > > >> @@ -2120,7 +2120,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) > >> if (__get_dumpable(cprm.mm_flags) == 2) { > >> /* Setuid core dump mode */ > >> flag = O_EXCL; /* Stop rewrite attacks */ > >> - cred->fsuid = 0; /* Dump root private */ > >> + cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */ > > > > Sorry, one more - can this be the per-ns root uid? The coredumps should > > be ok to belong to privileged users in the namespace right? > > I'm not certain it was clear when you were looking at this that > this is about dumping core from suid applications, not normal > applications. > > Looking at the code in commoncap and commit_creds it looks like it is a > bug that we don't call set_dumpable(new, suid_dumpable) in common cap > when we use file capabilities. I might be wrong but I think we escape We do, check kernel/cred.c:commit_creds(). So long as the new permitted set is not a subset of the old one. Tested it to make absolutely sure. When I add file capabilities to a program that otherwise dumps core (int *x = 0; *x = 0;), core dumps are no longer generated. -serge From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932624Ab2DZAJq (ORCPT ); Wed, 25 Apr 2012 20:09:46 -0400 Received: from 50-56-35-84.static.cloud-ips.com ([50.56.35.84]:51254 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932453Ab2DZAJo (ORCPT ); Wed, 25 Apr 2012 20:09:44 -0400 Date: Thu, 26 Apr 2012 00:11:01 +0000 From: "Serge E. Hallyn" To: "Eric W. Biederman" Cc: "Serge E. Hallyn" , linux-kernel@vger.kernel.org, Linux Containers , Cyrill Gorcunov , linux-security-module@vger.kernel.org, Al Viro , linux-fsdevel@vger.kernel.org, Andrew Morton , Linus Torvalds Subject: Re: [PATCH 27/43] userns: Use uid_eq gid_eq helpers when comparing kuids and kgids in the vfs Message-ID: <20120426001101.GA10308@mail.hallyn.com> References: <1333862139-31737-27-git-send-email-ebiederm@xmission.com> <20120418190337.GE5186@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Eric W. Biederman (ebiederm@xmission.com): > "Serge E. Hallyn" writes: > > > Quoting Eric W. Beiderman (ebiederm@xmission.com): > >> From: Eric W. Biederman > >> > >> Signed-off-by: Eric W. Biederman > >> --- > >> fs/attr.c | 8 ++++---- > >> fs/exec.c | 10 +++++----- > >> fs/fcntl.c | 6 +++--- > >> fs/ioprio.c | 4 ++-- > >> fs/locks.c | 2 +- > >> fs/namei.c | 8 ++++---- > >> include/linux/quotaops.h | 4 ++-- > >> 7 files changed, 21 insertions(+), 21 deletions(-) > >> > > >> @@ -2120,7 +2120,7 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs) > >> if (__get_dumpable(cprm.mm_flags) == 2) { > >> /* Setuid core dump mode */ > >> flag = O_EXCL; /* Stop rewrite attacks */ > >> - cred->fsuid = 0; /* Dump root private */ > >> + cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */ > > > > Sorry, one more - can this be the per-ns root uid? The coredumps should > > be ok to belong to privileged users in the namespace right? > > I'm not certain it was clear when you were looking at this that > this is about dumping core from suid applications, not normal > applications. > > Looking at the code in commoncap and commit_creds it looks like it is a > bug that we don't call set_dumpable(new, suid_dumpable) in common cap > when we use file capabilities. I might be wrong but I think we escape We do, check kernel/cred.c:commit_creds(). So long as the new permitted set is not a subset of the old one. Tested it to make absolutely sure. When I add file capabilities to a program that otherwise dumps core (int *x = 0; *x = 0;), core dumps are no longer generated. -serge