From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751466AbdEBKDP (ORCPT ); Tue, 2 May 2017 06:03:15 -0400 Received: from mail-ve1eur01on0127.outbound.protection.outlook.com ([104.47.1.127]:53705 "EHLO EUR01-VE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751310AbdEBKDM (ORCPT ); Tue, 2 May 2017 06:03:12 -0400 Authentication-Results: chromium.org; dkim=none (message not signed) header.d=none;chromium.org; dmarc=none action=none header.from=virtuozzo.com; Subject: Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces To: "Eric W. Biederman" , Linux Containers References: <149329634856.21195.14196911999722279118.stgit@localhost.localdomain> <87mvb16fv7.fsf@xmission.com> <12a73543-79ea-4bac-7e96-6ab237534af2@virtuozzo.com> <877f254yx0.fsf@xmission.com> <8737crt4dz.fsf@xmission.com> <87vapnrp7f.fsf_-_@xmission.com> CC: , , , , , , , , , , , , , , , From: Kirill Tkhai Message-ID: Date: Tue, 2 May 2017 13:03:04 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <87vapnrp7f.fsf_-_@xmission.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [195.214.232.6] X-ClientProxiedBy: VI1PR08CA0006.eurprd08.prod.outlook.com (10.164.95.16) To DB6PR0802MB2279.eurprd08.prod.outlook.com (10.172.228.7) X-MS-Office365-Filtering-Correlation-Id: 9bc1eb7d-cf3e-4630-3b22-08d491426e10 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(201703131423075)(201703031133081);SRVR:DB6PR0802MB2279; X-Microsoft-Exchange-Diagnostics: 1;DB6PR0802MB2279;3:et1K7BqlgESBb15s//Sq4EUfMFEiNdFO37T5ElMiIJSaNEo3U3qy9he6XwbujYT6JfZ5EOHiuZGz7v/0vyLuqttFKaE5AYA6k9tDyO8IE+GBl4JkQahdv6wvhm8W8BTBryh31Fwuth3GbpcdrwA5M1/2rsOjNasIUbqbsBdnsRvVGEMEUdN+hzt9B02xXzZMZm2LqZTW1dieZcd4PvKpaWj7EvJ0sNcnTj5nJAzc5uqfkt6a6SyqZWrE3T8LghM34lThkzb5KDmmJdG4klfnJOkQWau3miW0tF7a+R8vojrAFvi07LRpYrGx9m/GcUldsWdHi+cMg3wcd+yKpIdS2Q==;25:G+srgStc/VLrt5yluj8yX+mDoHLJW8pQ21Yx08O64/nk5Z1UtpP8m+5VdbNTZoFJ6niNYbdrUqXJe/Z44m/a/nUsBhu62VcmHSvvkNBsXeIb0fDcJ/YQ/WQyaC2M6UvgK9PGiVtI2kU06M7RS54Vh7KvvhmpBc3LtwlSpTpaeRiAXQjWYYXtoaD7c2GzkzIIw6EtjMaKcx7rR8LRyW5ZrualyjKGCY+9qNgDxGBv3FDGr0sphXt00bBnN+SQItRXj3Fpu7pmxcU80L5KWpzgWFqtiiOgBBlBjL4QDzhjMxcxku2BWEErdTodHqzaNK4YEEJJq5w3fAVWiR3AgeenwYF76n/9O+5AWbdI16ulP6Jt1NTe9wFqTzVGBSmhnxQmCnE4VUXEt3HNN5ivDHcMYyTsFQCfOF7CkEjXPXX8uHHBnuOMrYbeFpcWAoyr2w+Vb2Pgmym8DdTdU+Uo4qt5DA== X-Microsoft-Exchange-Diagnostics: 1;DB6PR0802MB2279;31:lAnIb/4DItPa2khM3UT1Eg+Jq01fHUjsblcc6SteU7Xo/InUVy8DEr2ee2ZqB1q3p2RgbnPnjkepN9KAa8t6VXqd5Dl+30tbAsodsnGQ9IHfRjfQW1i04Kv4r9Ygy0tLQPlJ/TLAJdzuGryNs/EySTexcnrymProCspUkJfVAbF3Ik41tLQxhf5gpjDQQoOWmIdMRRiGGU1IdmXCUx6DY9l+pjqW0KhOEcAaT3ArMfM=;20:Gs/Sb1IyrXs34dLRSWl9CSZZNJJ0EuOua+xepacFSYNlpRfFkONQuFITI9pszvCxNuWYdKkHeZWgcR4w0NJpvh/f0CQYazYhlpPWc1pArW4a9KymFdw0YZsd14nLpES1WtpgbfCv/CvuI1wlTUYXlTx6DOJmKtYMFM8P2E4PO/O6Q4CzIYGME0RWNwdFgELK4Tje6rDWKEV/ZQjAA96lCPAydz56DlQMtSAECcGbLJouzUs5BAFA9nSRgHegCnG6RdOrxSafjOD7wyYxhnj90xkVBxkP3vw8CjPNpyRFgb/TGwyXr2w9OMumhiQH+tG4h9Rtv6JmqOV6huhhFLzMi+01PWXyW9ikyXDEYPGnjDREBlbRECIHn/WnqUH/y2Yxk2S85Ah9jVmnKgFyUgPf7vVf2145il/ewswkODrWSQo= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123562025)(20161123564025)(6072148);SRVR:DB6PR0802MB2279;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0802MB2279; X-Microsoft-Exchange-Diagnostics: 1;DB6PR0802MB2279;4:ufdxq1daUbsBNQ16l1xHEQlJ1HY8uzhSFzKWGR3FQ0WFuihM1JB2OTd7Eyb9DfrUFdkoiV14ysZL7nllagnMeEXqieX6qLmA3huVLckv0jx0jK2qY9F/um2HX8Kk7YczXBgjt2v8p4cEF4BVnTu1VD2OxxClwK/f+F5zaKbrZ6IsKSYTUSNywMEX8JfHb8smA6uX+fweAisK7F3eu4FmvLd2a7RaWje7biIhdXtw1R+1bfEHORWkKYcUuHO3b6SXrj4w6VlTlNPUowPjQBn8BZlW6ouMpqvVFjyEGvU0PqwdBxsD+z6q0A3xgtfJ8yO3+IIqy2tCbqTyLQa8uuQeQcQPfDtdjkIzx0ZktiHikqav6hqwJmnrKCIKh3LECJ0VDu1Rqbt8oHrUDS8Z5BBt9fULkjJUXDj4MO496wPfypYitnZJfo8ewQ5zNT8jWJhDp36rif2cO3al1S8k91vLvlWtk6pO5aW63XPNLnRnfPiAzDNMVo5AXOTCceeriEUlQA+/k8bY31ragSaJ17wTHubZuAkjBkb64S3lMPJns4kHSdBczNiPNz35L57oZJldZik/DK+2FfMxBXApTO/0VjOTyNSXqy2mRbr2WgrTsgcY/fvTHIKQqkgC6jcaL9W7VlPL5GzcPMvmMik5f7LWmBT7m/j1VEzBucXx0+haUs6/d5hbymIH3lk0QaxO9c+vEk2MVgppE2yLPOqs2dHrrgreH12RIFZREQCM+I6nx0YGpfho685cwTjZSpvMfp/LzQWNxT/Nn3PBKKsjrGy9n/5NKNzJiob5yhrq/fOazFY= X-Forefront-PRVS: 02951C14DC X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6049001)(6009001)(39830400002)(39400400002)(39410400002)(39450400003)(24454002)(77096006)(8676002)(76176999)(25786009)(6486002)(53546009)(36756003)(54356999)(229853002)(31696002)(4326008)(50986999)(93886004)(305945005)(6246003)(7736002)(33646002)(478600001)(38730400002)(50466002)(2906002)(23676002)(86362001)(4001350100001)(65826007)(31686004)(575784001)(47776003)(81166006)(66066001)(230700001)(2950100002)(3846002)(189998001)(83506001)(6116002)(53936002)(5660300001)(42186005)(142933001);DIR:OUT;SFP:1102;SCL:1;SRVR:DB6PR0802MB2279;H:[172.16.25.137];FPR:;SPF:None;MLV:sfv;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjZQUjA4MDJNQjIyNzk7MjM6dDNTZWJ4VEZJcngrMlhMWlRWUnQvZ1Br?= =?utf-8?B?YzBFYXFYWDI2bWZseWw4ZXUyb1AzZWFUT1lQZjFTZDgvV090bjI4U0dvS0FX?= =?utf-8?B?eDhhUllqaTZUYktyUnR4U0QrSmNvUHQ3WitzaC9EUWJXSG1YelZrcUtlUTZC?= =?utf-8?B?MHZVbVlBNWJQemlsS1JWNmxlc2Qvak9qSHBUalRsYks2a2hrSG9oTjBzZFVq?= =?utf-8?B?S3VzdEpxUHdNelEvNThVN3Z4cGRZK3VtWGFyT1NoUWkzanF4Q2tzN1lSYzl0?= =?utf-8?B?dmFhYkdjTHNJcXpWeFh4T015anBPSFpUbVBMMWVneXJIT09PMC9hZlB1VEty?= =?utf-8?B?MmNUd2lnNHZQbTR3SmdmR0RBZXVoeit6S0lzT0VwRUEvV2oza011d0o3R0k1?= =?utf-8?B?VXJJTHNvTGJmRmFQTzVJV09yMlpsZTkvWi9TZHZGeXUyWjNaQ1NIU0JUNnFN?= =?utf-8?B?Ukx6TmpDRitlRGwvSmpFZFg5Q1lhR1ByMldZcVRsdXd4aXBtdmZCZUJRYVFn?= =?utf-8?B?QmRMamFNUUpRZmw4UU5XdWNEeXVwWE5xVnJEUlFzU3BaV2NTeGpENWViYlgw?= =?utf-8?B?UWs2S3Z4YW9vN0ltSkorOUNsVGJuM245NC9TSEF1MTBiQkFOd1JYYnUzWklH?= =?utf-8?B?SmttQ21mZG9yMGltMlRqWGpZeitsdFNuMDNDN1ZKWUN0eFZmN0VlTG9ZenVB?= =?utf-8?B?OTRncG5wVHdFT2dxR1RmS2FML3puR2RzTVlVOW1CZCtvS2dpZXkvcWJ4Z2lm?= =?utf-8?B?dXJLUWJJZFJuNWhPMGRQQk5UY1lGVWxWbmhGS2IySVZxWUc1NUlXV2hPaFR0?= =?utf-8?B?eDZTQkdKc1ZMWEtyYWtvN2ZrR3hJcUNNR3U1SkRjOEFGS3BYanVSMk5yelNB?= =?utf-8?B?S0F2WmcxRzNPYytkZFMvRzdTUnRlbUpHdkJWaGpNRkpFcGp0S2lYNVk5ZW8r?= =?utf-8?B?SlBQY1BXOVhHTjV0di90TTRiTmEyTWZ4bFZmTTNxTm55TDhwdzBvR1hMN3Mw?= =?utf-8?B?Zlk4UEhmTWNMVjRRK0FLaGxSTWwzQnlyQVZINHVpUWdYemNldS92ZTUzQlQv?= =?utf-8?B?MEpNYlh1ZmF3TmFDRWRMUDJNek5qWXQ5QmNJUmFEVkRCdXhnaDBPNTVvcFNB?= =?utf-8?B?NDEvMzRmYW9sbllXSTB3UmpWekNiK05OMTRSSEp2Q24wSnJUOFhiVkNrQ1NF?= =?utf-8?B?NlRPUWxpZGd0NThnQXorRko2dk9NdnMyUC9XOVRPWVpjNDhaZW43QXpjV0cw?= =?utf-8?B?bmNERDRqVHd1ZVB6ZjRYMElwZUIwYlJrVDlqRTFaaVROY2FFaU82NDNHSElr?= =?utf-8?B?YmxrN3JOdXBYWC9iQTN1NzFITlBRN1FUSUFITHNlT0ZZZ3JhR2p6cDJTa2lp?= =?utf-8?B?eEQ2Mk5rRTA4MDBlMXU3UHZrdWtTL1pWeFBadnlnbDhkY2YrMlE0SkNCeUkw?= =?utf-8?B?QlFQMHhiNDhmN3ZiRWp3Z2I1NGk3QVhDZHE3THkyYmQyakg4TEV2eml1dk9x?= =?utf-8?B?NkFGM1QyVzgxejdxYmx6RmNLeG9CdXlsWldTUmQrRmtlaFlkd2J0VTNyZVB5?= =?utf-8?B?Y1pVOFcvSStuc050b1lITkxYT1MwTExrbUtyZVpjOXRMQ1g0SGtiY3R0WWlY?= =?utf-8?Q?XPlGL1JZpCVvUioMOy00de?= X-Microsoft-Exchange-Diagnostics: 1;DB6PR0802MB2279;6:tABLLgxd1b4Lg5QHdGSazykle8C13OYHMHL5TzWCNeCeI7BeYlDTnKzTkYv1q+GSCDsXXcj/YkjX4YU5aNYIdAtp5ksJww90kGkWaRa+bktd0apq3r8MP4aqePLOn5yP5moS/4VHerz3CSyDnnUBwEpOYLndb3Z15WV4e5v5/0KcgUkXh3QxkkdC8VuOL2Fys6V+8W5uMEMgJbgZX3TpVII7AIciFf0QyWwt9X02Rqtga81EclI7HMl8QO97dY9A2JZF5GgdPi8ptPits1Cb8CtV0hE60dMk+G0gyF11bV48X9/bZXFcXwCQaUhC2Ms4QHd6B/XeQ5+QKeZrUA5/E28ytZ1Idtgs/NmXOEpdD9ttK3LpiJLKFp3O/B77dNnun/StTzRsvT8ZN+Vqmq+/hy2eBYl0JTRQ8OfbQE1GQ4+xMZsaGNkanitcmIXufmO6C7V69QcxASVrGzfdyAsuMNd/mMsRIJh90DMdATwERAWSXJXMuInsg9DnKNvPBFEua+zMGzZQyvseZGWEoQPNOg==;5:jBPQZO+YQ2kMaHgqQlpp9kW6kCjGh/cZLy4MGt59+uQMqPqbYL/DojFvaN8mBK14UOBxpJUK0seCutnTx5ga5vB8LJe9m9sfT9z1n03TT/Lk9oQLoql2dSf4Arfj4J20uTzsWIbfeNfR7Kd13cNI4ZH5zrWRu8WmuhcJ8KRJxbI=;24:6jYIEQb5BHO5p2/sDGEm54aJ5AfJWghPdDD1tMrKPF3LPyUZ/aA/Mb5iEt8koq256Z2qzhR5c2t0c8l30EPz6G2+kwu0SGb5KMAw/R4aq9o= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DB6PR0802MB2279;7:ACCLRyVwL6HehBwqbMVItnjUqWKvTHXyLaNCHAtwwZp3Kbh5OjwNtQtJxqGXdnoq1Hk6+c3mKN8CctEElvdGZYxZT/UJZ8SsU2rQHP0G3kTf/jbMj34pHAwjgDzkNWwxk9jy0C0hfi4uH/vVEfHpaWw/x5VP6i5UPrY96MmPcIHzFLy5VoQN9RTGsH7fwqTcIIyHLmex1ZZLf2fbLWDkjH+Ty874xHp4Qobi7UXJrthwMqE4MUEec5qQapvWxG5HoSy0cf6Kn38XuWz8aF6JJPCbG0nicHoN+3kR8e3YX+Y07GgS9JpMFikPuTNVskHXaslcV35AqyTnZbynVowtag==;20:6AfDuGrSnB2XvJaaeeuaLGG0CikAMlK+ER05QFpMPkUgbVZc6cRAuU1sjtwEBYpwzFNtWPilMVntkiCwcZVY31CgWpIyRMvuCWNBuqkdbb2iTr+BnRosoC6P2yFQ8im5ps/PwgZpAXQYAtptCge1TRty3I/aSazyp7BYKPRBgjQ= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 May 2017 10:03:04.6392 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0802MB2279 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29.04.2017 22:25, Eric W. Biederman wrote: > > It is pointless and confusing to allow a pid namespace hierarchy and > the user namespace hierarchy to get out of sync. The owner of a child > pid namespace should be the owner of the parent pid namespace or > a descendant of the owner of the parent pid namespace. > > Otherwise it is possible to construct scenarios where it is legal to > do something in a parent pid namespace but in a child pid namespace. > > It requires use of setns into a pid namespace (but not into a user > namespace) to create such a scenario. > > Add the function in_userns to help in making this determination. > > Signed-off-by: "Eric W. Biederman" > --- > > While review a patch from Kiril Tkhai I realized we were missing this > sanity check.... > > include/linux/user_namespace.h | 8 +++++++- > kernel/pid_namespace.c | 4 ++++ > kernel/user_namespace.c | 18 ++++++++++++------ > 3 files changed, 23 insertions(+), 7 deletions(-) > > diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h > index 32354b4b4b2b..497ed50004db 100644 > --- a/include/linux/user_namespace.h > +++ b/include/linux/user_namespace.h > @@ -112,8 +112,9 @@ extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, > extern ssize_t proc_setgroups_write(struct file *, const char __user *, size_t, loff_t *); > extern int proc_setgroups_show(struct seq_file *m, void *v); > extern bool userns_may_setgroups(const struct user_namespace *ns); > +extern bool in_userns(const struct user_namespace *ancestor, > + const struct user_namespace *child); > extern bool current_in_userns(const struct user_namespace *target_ns); > - > struct ns_common *ns_get_owner(struct ns_common *ns); > #else > > @@ -144,6 +145,11 @@ static inline bool userns_may_setgroups(const struct user_namespace *ns) > return true; > } > > +static inline bool in_userns(const struct user_namespace *target_ns) > +{ > + return true; > +} > + > static inline bool current_in_userns(const struct user_namespace *target_ns) > { > return true; > diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c > index de461aa0bf9a..749147f5a613 100644 > --- a/kernel/pid_namespace.c > +++ b/kernel/pid_namespace.c > @@ -101,6 +101,10 @@ static struct pid_namespace *create_pid_namespace(struct user_namespace *user_ns > int i; > int err; > > + err = -EINVAL; > + if (!in_userns(parent_pid_ns->user_ns, user_ns)) > + goto out; > + > err = -ENOSPC; > if (level > MAX_PID_NS_LEVEL) > goto out; > diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c > index 2f735cbe05e8..7d8658fbabc8 100644 > --- a/kernel/user_namespace.c > +++ b/kernel/user_namespace.c > @@ -986,19 +986,25 @@ bool userns_may_setgroups(const struct user_namespace *ns) > } > > /* > - * Returns true if @ns is the same namespace as or a descendant of > - * @target_ns. > + * Returns true if @child is the same namespace or a descendant of > + * @ancestor. > */ > -bool current_in_userns(const struct user_namespace *target_ns) > +bool in_userns(const struct user_namespace *ancestor, > + const struct user_namespace *child) > { > - struct user_namespace *ns; > - for (ns = current_user_ns(); ns; ns = ns->parent) { > - if (ns == target_ns) > + const struct user_namespace *ns; > + for (ns = child; ns; ns = ns->parent) { > + if (ns == ancestor) > return true; > } > return false; > } We have user_namespace::level, so it's possible to stop iterations earlier and save some cpu cycles: for (ns = child; ns->level >= ancestor->level; ns = ns->parent) ; return (ns == ancestor); > > +bool current_in_userns(const struct user_namespace *target_ns) > +{ > + return in_userns(target_ns, current_user_ns()); > +} > + > static inline struct user_namespace *to_user_ns(struct ns_common *ns) > { > return container_of(ns, struct user_namespace, ns); >