Re: [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: ebiederm@xmission•com (Eric W. Biederman)
To: Serge Hallyn <serge@hallyn•com>
Cc: linux-kernel@vger•kernel.org, akpm@linux-foundation•org,
	oleg@redhat•com, richard@nod•at, mikevs@xs4all•net,
	segoon@openwall•com, gregkh@suse•de, dhowells@redhat•com,
	eparis@redhat•com, "Serge E. Hallyn" <serge.hallyn@canonical•com>,
	netdev@vger•kernel.org
Subject: Re: [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware
Date: Wed, 19 Oct 2011 06:52:28 -0700	[thread overview]
Message-ID: <m1sjmpytpf.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <1318974898-21431-10-git-send-email-serge@hallyn.com> (Serge Hallyn's message of "Tue, 18 Oct 2011 21:54:58 +0000")

Serge Hallyn <serge@hallyn•com> writes:

> From: "Serge E. Hallyn" <serge.hallyn@canonical•com>
>
> Currently uids are compared without regard for the user namespace.
> Fix that to prevent tasks in a different user namespace from
> wrongly matching on SCM_CREDENTIALS.
>
> In the past, either your uids had to match, or you had to have
> CAP_SETXID.  In a namespaced world, you must either (both be in the
> same user namespace and have your uids match), or you must have
> CAP_SETXID targeted at the other user namespace.  The latter can
> happen for instance if uid 500 created a new user namespace and
> now interacts with uid 0 in it.

Serge this approach is wrong.

Because we pass the cred and the pid through the socket socket itself
is just a conduit and should be ignored in this context.

The only interesting test should be are you allowed to impersonate other
users in your current userk namespace.

So it should be possible to simplify the entire patch to just:
 static __inline__ int scm_check_creds(struct ucred *creds)
 {
 	const struct cred *cred = current_cred();
+	struct user_namespace *ns = cred->user_ns;

-	if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) &&
-	    ((creds->uid == cred->uid   || creds->uid == cred->euid ||
-	      creds->uid == cred->suid) || capable(CAP_SETUID)) &&
-	    ((creds->gid == cred->gid   || creds->gid == cred->egid ||
-	      creds->gid == cred->sgid) || capable(CAP_SETGID))) {
+	if ((creds->pid == task_tgid_vnr(current) || ns_capable(ns, CAP_SYS_ADMIN)) &&
+	    ((creds->uid == cred->uid   || creds->uid == cred->euid ||
+	      creds->uid == cred->suid) || ns_capable(ns, CAP_SETUID)) &&
+	    ((creds->gid == cred->gid   || creds->gid == cred->egid ||
+	      creds->gid == cred->sgid) || ns_capable(ns, CAP_SETGID))) {
  	       return 0;
  	}
  	return -EPERM;
  }

next prev parent reply	other threads:[~2011-10-19 13:52 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1318974898-21431-1-git-send-email-serge@hallyn.com>
2011-10-18 21:54 ` [PATCH 7/9] user namespace: make each net (net_ns) belong to a user_ns Serge Hallyn
2011-10-18 21:54 ` [PATCH 8/9] protect cap_netlink_recv from user namespaces Serge Hallyn
2011-10-18 21:54 ` [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware Serge Hallyn
2011-10-18 22:14   ` Joe Perches
2011-10-18 23:22     ` Serge E. Hallyn
2011-10-19  2:25       ` [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware (v2) Serge E. Hallyn
2011-10-19 13:52   ` Eric W. Biederman [this message]
2011-10-20 12:58     ` [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware Serge E. Hallyn
2011-10-20 13:35       ` Eric W. Biederman
2011-10-20 14:14         ` Serge E. Hallyn
2011-10-24  4:15           ` Serge E. Hallyn
2011-10-24  4:27             ` Eric W. Biederman
2011-10-20 14:24         ` Serge E. Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m1sjmpytpf.fsf@fess.ebiederm.org \
    --to=ebiederm@xmission$(echo .)com \
    --cc=akpm@linux-foundation$(echo .)org \
    --cc=dhowells@redhat$(echo .)com \
    --cc=eparis@redhat$(echo .)com \
    --cc=gregkh@suse$(echo .)de \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=mikevs@xs4all$(echo .)net \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=oleg@redhat$(echo .)com \
    --cc=richard@nod$(echo .)at \
    --cc=segoon@openwall$(echo .)com \
    --cc=serge.hallyn@canonical$(echo .)com \
    --cc=serge@hallyn$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox