userns: limit the maximum depth of user_namespace->parent chain
Ensure that user_namespace->parent chain can't grow too much. Currently we use the hardroded 32 as limit. Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
		 Oleg Nesterov
					Oleg Nesterov
				
			
				
					committed by
					
						 Linus Torvalds
						Linus Torvalds
					
				
			
			
				
	
			
			
			 Linus Torvalds
						Linus Torvalds
					
				
			
						parent
						
							55f5bfd4c9
						
					
				
				
					commit
					8742f229b6
				
			| @@ -23,6 +23,7 @@ struct user_namespace { | |||||||
| 	struct uid_gid_map	projid_map; | 	struct uid_gid_map	projid_map; | ||||||
| 	atomic_t		count; | 	atomic_t		count; | ||||||
| 	struct user_namespace	*parent; | 	struct user_namespace	*parent; | ||||||
|  | 	int			level; | ||||||
| 	kuid_t			owner; | 	kuid_t			owner; | ||||||
| 	kgid_t			group; | 	kgid_t			group; | ||||||
| 	unsigned int		proc_inum; | 	unsigned int		proc_inum; | ||||||
|   | |||||||
| @@ -62,6 +62,9 @@ int create_user_ns(struct cred *new) | |||||||
| 	kgid_t group = new->egid; | 	kgid_t group = new->egid; | ||||||
| 	int ret; | 	int ret; | ||||||
|  |  | ||||||
|  | 	if (parent_ns->level > 32) | ||||||
|  | 		return -EUSERS; | ||||||
|  |  | ||||||
| 	/* | 	/* | ||||||
| 	 * Verify that we can not violate the policy of which files | 	 * Verify that we can not violate the policy of which files | ||||||
| 	 * may be accessed that is specified by the root directory, | 	 * may be accessed that is specified by the root directory, | ||||||
| @@ -92,6 +95,7 @@ int create_user_ns(struct cred *new) | |||||||
| 	atomic_set(&ns->count, 1); | 	atomic_set(&ns->count, 1); | ||||||
| 	/* Leave the new->user_ns reference with the new user namespace. */ | 	/* Leave the new->user_ns reference with the new user namespace. */ | ||||||
| 	ns->parent = parent_ns; | 	ns->parent = parent_ns; | ||||||
|  | 	ns->level = parent_ns->level + 1; | ||||||
| 	ns->owner = owner; | 	ns->owner = owner; | ||||||
| 	ns->group = group; | 	ns->group = group; | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user