|
|
@@ -106,6 +106,7 @@ int create_user_ns(struct cred *new)
|
|
|
if (!ns)
|
|
|
goto fail_dec;
|
|
|
|
|
|
+ ns->parent_could_setfcap = cap_raised(new->cap_effective, CAP_SETFCAP);
|
|
|
ret = ns_alloc_inum(&ns->ns);
|
|
|
if (ret)
|
|
|
goto fail_free;
|
|
|
@@ -841,6 +842,60 @@ static int sort_idmaps(struct uid_gid_map *map)
|
|
|
return 0;
|
|
|
}
|
|
|
|
|
|
+/**
|
|
|
+ * verify_root_map() - check the uid 0 mapping
|
|
|
+ * @file: idmapping file
|
|
|
+ * @map_ns: user namespace of the target process
|
|
|
+ * @new_map: requested idmap
|
|
|
+ *
|
|
|
+ * If a process requests mapping parent uid 0 into the new ns, verify that the
|
|
|
+ * process writing the map had the CAP_SETFCAP capability as the target process
|
|
|
+ * will be able to write fscaps that are valid in ancestor user namespaces.
|
|
|
+ *
|
|
|
+ * Return: true if the mapping is allowed, false if not.
|
|
|
+ */
|
|
|
+static bool verify_root_map(const struct file *file,
|
|
|
+ struct user_namespace *map_ns,
|
|
|
+ struct uid_gid_map *new_map)
|
|
|
+{
|
|
|
+ int idx;
|
|
|
+ const struct user_namespace *file_ns = file->f_cred->user_ns;
|
|
|
+ struct uid_gid_extent *extent0 = NULL;
|
|
|
+
|
|
|
+ for (idx = 0; idx < new_map->nr_extents; idx++) {
|
|
|
+ if (new_map->nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS)
|
|
|
+ extent0 = &new_map->extent[idx];
|
|
|
+ else
|
|
|
+ extent0 = &new_map->forward[idx];
|
|
|
+ if (extent0->lower_first == 0)
|
|
|
+ break;
|
|
|
+
|
|
|
+ extent0 = NULL;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!extent0)
|
|
|
+ return true;
|
|
|
+
|
|
|
+ if (map_ns == file_ns) {
|
|
|
+ /* The process unshared its ns and is writing to its own
|
|
|
+ * /proc/self/uid_map. User already has full capabilites in
|
|
|
+ * the new namespace. Verify that the parent had CAP_SETFCAP
|
|
|
+ * when it unshared.
|
|
|
+ * */
|
|
|
+ if (!file_ns->parent_could_setfcap)
|
|
|
+ return false;
|
|
|
+ } else {
|
|
|
+ /* Process p1 is writing to uid_map of p2, who is in a child
|
|
|
+ * user namespace to p1's. Verify that the opener of the map
|
|
|
+ * file has CAP_SETFCAP against the parent of the new map
|
|
|
+ * namespace */
|
|
|
+ if (!file_ns_capable(file, map_ns->parent, CAP_SETFCAP))
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+
|
|
|
+ return true;
|
|
|
+}
|
|
|
+
|
|
|
static ssize_t map_write(struct file *file, const char __user *buf,
|
|
|
size_t count, loff_t *ppos,
|
|
|
int cap_setid,
|
|
|
@@ -848,7 +903,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
|
|
|
struct uid_gid_map *parent_map)
|
|
|
{
|
|
|
struct seq_file *seq = file->private_data;
|
|
|
- struct user_namespace *ns = seq->private;
|
|
|
+ struct user_namespace *map_ns = seq->private;
|
|
|
struct uid_gid_map new_map;
|
|
|
unsigned idx;
|
|
|
struct uid_gid_extent extent;
|
|
|
@@ -895,7 +950,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
|
|
|
/*
|
|
|
* Adjusting namespace settings requires capabilities on the target.
|
|
|
*/
|
|
|
- if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
|
|
|
+ if (cap_valid(cap_setid) && !file_ns_capable(file, map_ns, CAP_SYS_ADMIN))
|
|
|
goto out;
|
|
|
|
|
|
/* Parse the user data */
|
|
|
@@ -965,7 +1020,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
|
|
|
|
|
|
ret = -EPERM;
|
|
|
/* Validate the user is allowed to use user id's mapped to. */
|
|
|
- if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
|
|
|
+ if (!new_idmap_permitted(file, map_ns, cap_setid, &new_map))
|
|
|
goto out;
|
|
|
|
|
|
ret = -EPERM;
|
|
|
@@ -1086,6 +1141,10 @@ static bool new_idmap_permitted(const struct file *file,
|
|
|
struct uid_gid_map *new_map)
|
|
|
{
|
|
|
const struct cred *cred = file->f_cred;
|
|
|
+
|
|
|
+ if (cap_setid == CAP_SETUID && !verify_root_map(file, ns, new_map))
|
|
|
+ return false;
|
|
|
+
|
|
|
/* Don't allow mappings that would allow anything that wouldn't
|
|
|
* be allowed without the establishment of unprivileged mappings.
|
|
|
*/
|
Greg Kroah-Hartman