From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932688Ab2LOAm0 (ORCPT ); Fri, 14 Dec 2012 19:42:26 -0500 Received: from 50-56-35-84.static.cloud-ips.com ([50.56.35.84]:56541 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932151Ab2LOAmZ (ORCPT ); Fri, 14 Dec 2012 19:42:25 -0500 Date: Sat, 15 Dec 2012 00:47:35 +0000 From: "Serge E. Hallyn" To: "Eric W. Biederman" Cc: "Serge E. Hallyn" , Linux Containers , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Andy Lutomirski , David Howells Subject: Re: [PATCH 3/4] userns: Add a more complete capability subset test to commit_creds Message-ID: <20121215004735.GA14295@mail.hallyn.com> References: <87txroxpgq.fsf@xmission.com> <87bodwxpcg.fsf@xmission.com> <20121215000338.GC13659@mail.hallyn.com> <87r4msrx6t.fsf@xmission.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87r4msrx6t.fsf@xmission.com> User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Eric W. Biederman (ebiederm@xmission.com): > "Serge E. Hallyn" writes: > > > Quoting Eric W. Biederman (ebiederm@xmission.com): > >> > >> When unsharing a user namespace we reduce our credentials to just what > >> can be done in that user namespace. This is a subset of the credentials > >> we previously had. Teach commit_creds to recognize this is a subset > >> of the credentials we have had before and don't clear the dumpability flag. > >> > >> This allows an unprivileged program to do: > >> unshare(CLONE_NEWUSER); > >> fd = open("/proc/self/uid_map", O_RDWR); > >> > >> Where previously opening the uid_map writable would fail because > >> the the task had been made non-dumpable. > >> > >> Signed-off-by: "Eric W. Biederman" > > > > Acked-by: Serge Hallyn > > > >> --- > >> kernel/cred.c | 26 +++++++++++++++++++++++++- > >> 1 files changed, 25 insertions(+), 1 deletions(-) > >> > >> diff --git a/kernel/cred.c b/kernel/cred.c > >> index 48cea3d..993a7ea41 100644 > >> --- a/kernel/cred.c > >> +++ b/kernel/cred.c > >> @@ -455,6 +455,30 @@ error_put: > >> return ret; > >> } > >> > > > > Do you think we need to warn that this can only be used for > > commit_creds? (i.e. if someone tried ot use this in some > > other context, the 'creds are subset of target ns is a child > > of current_ns' assumption would be wrong) > > This function should be a general test valid at any time. > > Except that I forgot the bit of the test that asks is the original cred > the owner of the subset user namespace. Ok, with that change that'll be fine :) > I will respin this patch. Cool, thanks.