[PATCH 5.4 0/6] cgroup: backports for CVE-2021-4197

Ovidiu Panait <ovidiu.panait@xxxxxxxxxxxxx> · Thu, 14 Apr 2022 11:44:44 +0300



Backport summary
----------------
1756d7994ad8 ("cgroup: Use open-time credentials for process migraton perm checks")
	* Cherry pick from 5.10-stable with minor contextual adjustments.

0d2b5955b362 ("cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv")
	* Cherry-pick from 5.10-stable, no modifications.

e57457641613 ("cgroup: Use open-time cgroup namespace for process migration perm checks")
	* Cherry-pick from 5.10-stable.
	* Backport to 5.4: drop changes to cgroup_attach_permissions() and
	  cgroup_css_set_fork() as the two functions are not present. Also,
	  adjust cgroup_procs_write_permission() callsites directly in
	  cgroup_procs_write() and cgroup_threads_write().

b09c2baa5634 ("selftests: cgroup: Make cg_create() use 0755 for permission instead of 0644")
	* Clean cherry-pick.

613e040e4dc2 ("selftests: cgroup: Test open-time credential usage for migration checks")
	* Minor contextual adjustments.

bf35a7879f1d ("selftests: cgroup: Test open-time cgroup namespace usage for migration checks")
	* Minor contextual adjustments and added wait.h
	  and fcntl.h includes to fix compilation.

Testing
-------
The newly introduced selftests (test_cgcore_lesser_euid_open() and
test_cgcore_lesser_ns_open()) pass with this series applied:

root@intel-x86-64:~# ./test_core
ok 1 test_cgcore_internal_process_constraint
ok 2 test_cgcore_top_down_constraint_enable
ok 3 test_cgcore_top_down_constraint_disable
ok 4 test_cgcore_no_internal_process_constraint_on_threads
ok 5 test_cgcore_parent_becomes_threaded
ok 6 test_cgcore_invalid_domain
ok 7 test_cgcore_populated
ok 8 test_cgcore_lesser_euid_open
ok 9 test_cgcore_lesser_ns_open

Tejun Heo (6):
  cgroup: Use open-time credentials for process migraton perm checks
  cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv
  cgroup: Use open-time cgroup namespace for process migration perm
    checks
  selftests: cgroup: Make cg_create() use 0755 for permission instead of
    0644
  selftests: cgroup: Test open-time credential usage for migration
    checks
  selftests: cgroup: Test open-time cgroup namespace usage for migration
    checks

 kernel/cgroup/cgroup-internal.h              |  19 +++
 kernel/cgroup/cgroup-v1.c                    |  33 ++--
 kernel/cgroup/cgroup.c                       |  93 ++++++++---
 tools/testing/selftests/cgroup/cgroup_util.c |   2 +-
 tools/testing/selftests/cgroup/test_core.c   | 167 +++++++++++++++++++
 5 files changed, 271 insertions(+), 43 deletions(-)

-- 
2.25.1