On Fri, Feb 18, 2022 at 1:11 AM Michal Koutný <mkoutny@xxxxxxxx> wrote: > > The idea is to check: a) the owning user_ns of cgroup_ns, b) > capabilities in init_user_ns. > > The commit 24f600856418 ("cgroup-v1: Require capabilities to set > release_agent") got this wrong in the write handler of release_agent > since it checked user_ns of the opener (may be different from the owning > user_ns of cgroup_ns). > Secondly, to avoid possibly confused deputy, the capability of the > opener must be checked. > > Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent") > Cc: stable@xxxxxxxxxxxxxxx > Link: https://lore.kernel.org/stable/20220216121142.GB30035@xxxxxxxxxxxxxxxxx/ > Signed-off-by: Michal Koutný <mkoutny@xxxxxxxx> > --- > kernel/cgroup/cgroup-v1.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c > index 0e877dbcfeea..afc6c0e9c966 100644 > --- a/kernel/cgroup/cgroup-v1.c > +++ b/kernel/cgroup/cgroup-v1.c > @@ -546,6 +546,7 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, > char *buf, size_t nbytes, loff_t off) > { > struct cgroup *cgrp; > + struct cgroup_file_ctx *ctx; > > BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); > > @@ -553,8 +554,9 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, > * Release agent gets called with all capabilities, > * require capabilities to set release agent. > */ > - if ((of->file->f_cred->user_ns != &init_user_ns) || > - !capable(CAP_SYS_ADMIN)) > + ctx = of->priv; > + if ((ctx->ns->user_ns != &init_user_ns) || > + !file_ns_capable(of->file, &init_user_ns, CAP_SYS_ADMIN)) > return -EPERM; > > cgrp = cgroup_kn_lock_live(of->kn, false); > -- > 2.34.1 Thank you. Looks good to me. Reviewed-by: Masami Ichikawa(CIP) <masami.ichikawa@xxxxxxxxxxxxxxxx>