This is a note to let you know that I've just added the patch titled
userns: Only allow the creator of the userns unprivileged mappings
to the 3.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
userns-only-allow-the-creator-of-the-userns-unprivileged-mappings.patch
and it can be found in the queue-3.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From f95d7918bd1e724675de4940039f2865e5eec5fe Mon Sep 17 00:00:00 2001
From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Date: Wed, 26 Nov 2014 23:22:14 -0600
Subject: userns: Only allow the creator of the userns unprivileged mappings
From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
commit f95d7918bd1e724675de4940039f2865e5eec5fe upstream.
If you did not create the user namespace and are allowed
to write to uid_map or gid_map you should already have the necessary
privilege in the parent user namespace to establish any mapping
you want so this will not affect userspace in practice.
Limiting unprivileged uid mapping establishment to the creator of the
user namespace makes it easier to verify all credentials obtained with
the uid mapping can be obtained without the uid mapping without
privilege.
Limiting unprivileged gid mapping establishment (which is temporarily
absent) to the creator of the user namespace also ensures that the
combination of uid and gid can already be obtained without privilege.
This is part of the fix for CVE-2014-8989.
Reviewed-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
kernel/user_namespace.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -800,14 +800,16 @@ static bool new_idmap_permitted(const st
struct user_namespace *ns, int cap_setid,
struct uid_gid_map *new_map)
{
+ const struct cred *cred = file->f_cred;
/* Don't allow mappings that would allow anything that wouldn't
* be allowed without the establishment of unprivileged mappings.
*/
- if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
+ if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
+ uid_eq(ns->owner, cred->euid)) {
u32 id = new_map->extent[0].lower_first;
if (cap_setid == CAP_SETUID) {
kuid_t uid = make_kuid(ns->parent, id);
- if (uid_eq(uid, file->f_cred->euid))
+ if (uid_eq(uid, cred->euid))
return true;
}
}
Patches currently in stable-queue which might be from ebiederm@xxxxxxxxxxxx are
queue-3.10/mnt-update-unprivileged-remount-test.patch
queue-3.10/userns-check-euid-no-fsuid-when-establishing-an-unprivileged-uid-mapping.patch
queue-3.10/mnt-implicitly-add-mnt_nodev-on-remount-when-it-was-implicitly-added-by-mount.patch
queue-3.10/userns-don-t-allow-unprivileged-creation-of-gid-mappings.patch
queue-3.10/userns-rename-id_map_mutex-to-userns_state_mutex.patch
queue-3.10/userns-add-a-knob-to-disable-setgroups-on-a-per-user-namespace-basis.patch
queue-3.10/userns-allow-setting-gid_maps-without-privilege-when-setgroups-is-disabled.patch
queue-3.10/userns-don-t-allow-setgroups-until-a-gid-mapping-has-been-setablished.patch
queue-3.10/groups-consolidate-the-setgroups-permission-checks.patch
queue-3.10/userns-only-allow-the-creator-of-the-userns-unprivileged-mappings.patch
queue-3.10/userns-document-what-the-invariant-required-for-safe-unprivileged-mappings.patch
queue-3.10/umount-disallow-unprivileged-mount-force.patch
queue-3.10/userns-unbreak-the-unprivileged-remount-tests.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html