David Howells <dhowells@xxxxxxxxxx> writes: > Jann Horn <jann@xxxxxxxxx> wrote: > >> find_keyring_by_name() checks that the UID of the keyring's owner is mapped into >> the current user namespace. But that doesn't catch the scenario I described: >> The keyring is created in an attacker-created namespace and looked up from the >> init namespace, into which all kuids are mapped. > > Ah - gotcha. Unless I am misreading something it actually gets worse. You don't even need a user namespace. You can just call keyctl_join_session_keyring and the named keyring of your choice will be created. Plus there are various really weird things in their where the keyring names of _tid, _pid, _ses, get reused over and over again. So it looks like there are some significant things to fix. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers