On Mon, Jan 30, 2012 at 8:17 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> They are normally disallowed because they could be used to subvert
> setuid programs. But if setuid is disabled, then they are safe.
>
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> ---
> kernel/nsproxy.c | 8 +++++++-
> 1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
> index b576f7f..47cf873 100644
> --- a/kernel/nsproxy.c
> +++ b/kernel/nsproxy.c
> @@ -191,7 +191,13 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
> CLONE_NEWNET)))
> return 0;
>
> - if (!capable(CAP_SYS_ADMIN))
> + /* We require either no_new_privs or CAP_SYS_ADMIN for all modes */
> + if (!current->no_new_privs && !capable(CAP_SYS_ADMIN))
> + return -EPERM;
> +
> + /* NEWNS and NEWNET always require CAP_SYS_ADMIN. */
> + if ((unshare_flags & (CLONE_NEWNS | CLONE_NEWNET)) &&
> + !capable(CAP_SYS_ADMIN))
> return -EPERM;
>
> *new_nsp = create_new_namespaces(unshare_flags, current,
While I think it's unlikely that the list handled by
unshare_nsproxy_namespaces() is going to change, I'd still prefer that
the logic of this test be reversed so that the nnp-allowed flags are
listed instead of the CAP_SYS_ADMIN-required ones so that it will
default to disallowing new flags. It's a little less readable, but
maybe something like this (untested):
unsigned long handled_mask = (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC |
CLONE_NEWNET);
unsigned long npp_mask = (CLONE_NEWUTS | CLONE_NEWIPC);
if (!(unshare_flags & handled_mask))
return 0;
if ( !(current->no_new_privs &&
!(unshare_flags & (handled_mask ^ npp_mask))) &&
!capable(CAP_SYS_ADMIN))
return -EPERM;
...
This also has the side-effect of removing the double-check of
capable() in some cases.
-Kees
--
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
