Patch "capabilities: Don't allow writing ambiguous v3 file capabilities" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 28 Feb 2021 23:11:27 -0500

This is a note to let you know that I've just added the patch titled

    capabilities: Don't allow writing ambiguous v3 file capabilities

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     capabilities-don-t-allow-writing-ambiguous-v3-file-c.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1a140830157b4e80fa362267862cc1beee888bed
Author: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
Date:   Thu Dec 17 09:42:00 2020 -0600

    capabilities: Don't allow writing ambiguous v3 file capabilities
    
    [ Upstream commit 95ebabde382c371572297915b104e55403674e73 ]
    
    The v3 file capabilities have a uid field that records the filesystem
    uid of the root user of the user namespace the file capabilities are
    valid in.
    
    When someone is silly enough to have the same underlying uid as the
    root uid of multiple nested containers a v3 filesystem capability can
    be ambiguous.
    
    In the spirit of don't do that then, forbid writing a v3 filesystem
    capability if it is ambiguous.
    
    Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")
    Reviewed-by: Andrew G. Morgan <morgan@xxxxxxxxxx>
    Reviewed-by: Serge Hallyn <serge@xxxxxxxxxx>
    Signed-off-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/security/commoncap.c b/security/commoncap.c
index 28a6939bcc4e5..ed89a6dd4f83d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -500,7 +500,8 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
 	__u32 magic, nsmagic;
 	struct inode *inode = d_backing_inode(dentry);
 	struct user_namespace *task_ns = current_user_ns(),
-		*fs_ns = inode->i_sb->s_user_ns;
+		*fs_ns = inode->i_sb->s_user_ns,
+		*ancestor;
 	kuid_t rootid;
 	size_t newsize;
 
@@ -523,6 +524,15 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
 	if (nsrootid == -1)
 		return -EINVAL;
 
+	/*
+	 * Do not allow allow adding a v3 filesystem capability xattr
+	 * if the rootid field is ambiguous.
+	 */
+	for (ancestor = task_ns->parent; ancestor; ancestor = ancestor->parent) {
+		if (from_kuid(ancestor, rootid) == 0)
+			return -EINVAL;
+	}
+
 	newsize = sizeof(struct vfs_ns_cap_data);
 	nscap = kmalloc(newsize, GFP_ATOMIC);
 	if (!nscap)






