Hi Xin, Thank you for the patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on v4.19-rc3 next-20180913] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/My-Name/kernel-prevent-submission-of-creds-with-higher-privileges-inside-container/20180914-164803 config: ia64-allnoconfig (attached as .config) compiler: ia64-linux-gcc (GCC) 8.1.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree GCC_VERSION=8.1.0 make.cross ARCH=ia64 All errors (new ones prefixed by >>): kernel/cred.c: In function 'commit_creds': kernel/cred.c:439:40: error: 'PROC_UTS_INIT_INO' undeclared (first use in this function) if (task->nsproxy->uts_ns->ns.inum != PROC_UTS_INIT_INO || ^~~~~~~~~~~~~~~~~ kernel/cred.c:439:40: note: each undeclared identifier is reported only once for each function it appears in kernel/cred.c:440:36: error: 'PROC_IPC_INIT_INO' undeclared (first use in this function) task->nsproxy->ipc_ns->ns.inum != PROC_IPC_INIT_INO || ^~~~~~~~~~~~~~~~~ kernel/cred.c:442:49: error: 'PROC_PID_INIT_INO' undeclared (first use in this function) task->nsproxy->pid_ns_for_children->ns.inum != PROC_PID_INIT_INO || ^~~~~~~~~~~~~~~~~ kernel/cred.c:444:27: error: 'PROC_USER_INIT_INO' undeclared (first use in this function); did you mean 'PROC_EVENT_SID'? old->user_ns->ns.inum != PROC_USER_INIT_INO || ^~~~~~~~~~~~~~~~~~ PROC_EVENT_SID >> kernel/cred.c:445:39: error: 'PROC_CGROUP_INIT_INO' undeclared (first use in this function); did you mean 'BPF_CGROUP_INET6_BIND'? task->nsproxy->cgroup_ns->ns.inum != PROC_CGROUP_INIT_INO) { ^~~~~~~~~~~~~~~~~~~~ BPF_CGROUP_INET6_BIND vim +445 kernel/cred.c 415 416 /** 417 * commit_creds - Install new credentials upon the current task 418 * @new: The credentials to be assigned 419 * 420 * Install a new set of credentials to the current task, using RCU to replace 421 * the old set. Both the objective and the subjective credentials pointers are 422 * updated. This function may not be called if the subjective credentials are 423 * in an overridden state. 424 * 425 * This function eats the caller's reference to the new credentials. 426 * 427 * Always returns 0 thus allowing this function to be tail-called at the end 428 * of, say, sys_setgid(). 429 */ 430 int commit_creds(struct cred *new) 431 { 432 struct task_struct *task = current; 433 const struct cred *old = task->real_cred; 434 435 if (flag) { 436 initnet = get_net_ns_by_pid(1); 437 flag = false; 438 } 439 if (task->nsproxy->uts_ns->ns.inum != PROC_UTS_INIT_INO || 440 task->nsproxy->ipc_ns->ns.inum != PROC_IPC_INIT_INO || 441 task->nsproxy->mnt_ns->ns.inum != 0xF0000000U || > 442 task->nsproxy->pid_ns_for_children->ns.inum != PROC_PID_INIT_INO || 443 task->nsproxy->net_ns->ns.inum != initnet->ns.inum || 444 old->user_ns->ns.inum != PROC_USER_INIT_INO || > 445 task->nsproxy->cgroup_ns->ns.inum != PROC_CGROUP_INIT_INO) { 446 if (new->uid.val < old->uid.val || new->gid.val < old->gid.val 447 || new->cap_bset.cap[0] > old->cap_bset.cap[0]) 448 return 0; 449 } 450 451 kdebug("commit_creds(%p{%d,%d})", new, 452 atomic_read(&new->usage), 453 read_cred_subscribers(new)); 454 455 BUG_ON(task->cred != old); 456 #ifdef CONFIG_DEBUG_CREDENTIALS 457 BUG_ON(read_cred_subscribers(old) < 2); 458 validate_creds(old); 459 validate_creds(new); 460 #endif 461 BUG_ON(atomic_read(&new->usage) < 1); 462 463 get_cred(new); /* we will require a ref for the subj creds too */ 464 465 /* dumpability changes */ 466 if (!uid_eq(old->euid, new->euid) || 467 !gid_eq(old->egid, new->egid) || 468 !uid_eq(old->fsuid, new->fsuid) || 469 !gid_eq(old->fsgid, new->fsgid) || 470 !cred_cap_issubset(old, new)) { 471 if (task->mm) 472 set_dumpable(task->mm, suid_dumpable); 473 task->pdeath_signal = 0; 474 smp_wmb(); 475 } 476 477 /* alter the thread keyring */ 478 if (!uid_eq(new->fsuid, old->fsuid)) 479 key_fsuid_changed(task); 480 if (!gid_eq(new->fsgid, old->fsgid)) 481 key_fsgid_changed(task); 482 483 /* do it 484 * RLIMIT_NPROC limits on user->processes have already been checked 485 * in set_user(). 486 */ 487 alter_cred_subscribers(new, 2); 488 if (new->user != old->user) 489 atomic_inc(&new->user->processes); 490 rcu_assign_pointer(task->real_cred, new); 491 rcu_assign_pointer(task->cred, new); 492 if (new->user != old->user) 493 atomic_dec(&old->user->processes); 494 alter_cred_subscribers(old, -2); 495 496 /* send notifications */ 497 if (!uid_eq(new->uid, old->uid) || 498 !uid_eq(new->euid, old->euid) || 499 !uid_eq(new->suid, old->suid) || 500 !uid_eq(new->fsuid, old->fsuid)) 501 proc_id_connector(task, PROC_EVENT_UID); 502 503 if (!gid_eq(new->gid, old->gid) || 504 !gid_eq(new->egid, old->egid) || 505 !gid_eq(new->sgid, old->sgid) || 506 !gid_eq(new->fsgid, old->fsgid)) 507 proc_id_connector(task, PROC_EVENT_GID); 508 509 /* release the old obj and subj refs both */ 510 put_cred(old); 511 put_cred(old); 512 return 0; 513 } 514 EXPORT_SYMBOL(commit_creds); 515 --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation