On Fri, 2011-11-04 at 22:24 +0000, Serge Hallyn wrote:
> From: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>
>
> cap_netlink_recv() was granting privilege if a capability is in
> current_cap(), regardless of the user namespace. Fix that by
> targeting the capability check against the user namespace which
> owns the skb.
>
> Caller passes the user ns down because sock_net is static inline defined in
> net/sock.h, which we'd rather not #include at the cap_netlink_recv function.
This is wrong at least in relation to audit. I don't know the other
code well enough to know if I think it's ok there. Lets say I have
(CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID) and I create a new task with
CLONE_NEWNAME. This task then immediately does the needful to remove
all audit rules (which supposedly requires CAP_AUDIT_CONTROL). That's
going to succeed because the task is init in it's namespace, aka:
/* The creator of the user namespace has all caps. */
if (targ_ns != &init_user_ns && targ_ns->creator == cred->user)
return 0;
But it just screwed with a global resource. aka audit. I don't know
the meaning of these others, but it seems to me probably most or all of
them should be against the init_user_ns, not the namespace the skb came
from....
What am I missing?
-Eric
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
