From patchwork Thu Jun 27 19:44:22 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Conklin X-Patchwork-Id: 255126 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id CDEE32C00AB for ; Fri, 28 Jun 2013 05:46:10 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UsI8p-0000dx-Eg; Thu, 27 Jun 2013 19:46:03 +0000 Received: from mail-ie0-f172.google.com ([209.85.223.172]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UsI8k-0000dK-2y for kernel-team@lists.ubuntu.com; Thu, 27 Jun 2013 19:45:58 +0000 Received: by mail-ie0-f172.google.com with SMTP id 16so2485191iea.3 for ; Thu, 27 Jun 2013 12:45:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references; bh=KpnIW+mrazexVBCUJ9fpkTQP59Isw00hidHS5Lu2Z9U=; b=oT7XPi/Iqnk5V95fCUyP99L2RJN945UrhHMvBLyXMPEAm7VhylyqQAa8pWTMHoqHnL JNYPRmII6CL+ekcKjRQPi82cB8Bk2J4A6Owb9RgKjKhjw2XVgi67m3+4UGHiKkrQK0L/ Ro5UAo2GNaDQAZ0PbVf8T+OTu26ac9TV5wojzWxt7Vcz0SYf15iTUkD/fpCS3WEmc1gl G+6HodSf4TbSaeJWnwnvtMt91wBaBjpDP2iBD1o2djqgYMc1wrJQPyDK0FBSRqIyQPBA +pDrBeSykxUBG34kTNgr8ftBh9k5kcFbSBFI5i7BOI3D8oW3Ui+olRFdVkUxqk3MkAs0 izug== X-Received: by 10.50.41.34 with SMTP id c2mr135791igl.57.1372362357425; Thu, 27 Jun 2013 12:45:57 -0700 (PDT) Received: from localhost.localdomain ([24.96.64.103]) by mx.google.com with ESMTPSA id x10sm14440174igl.3.2013.06.27.12.45.56 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Jun 2013 12:45:57 -0700 (PDT) From: Steve Conklin To: kernel-team@lists.ubuntu.com Subject: [PATCH Quantal CVE] userns: Changing any namespace id mappings should require privileges Date: Thu, 27 Jun 2013 14:44:22 -0500 Message-Id: <1372362262-2537-2-git-send-email-sconklin@canonical.com> X-Mailer: git-send-email 1.7.9.5 In-Reply-To: <1372362262-2537-1-git-send-email-sconklin@canonical.com> References: <1372362262-2537-1-git-send-email-sconklin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Andy Lutomirski CVE-2013-1979 commit 41c21e351e79004dbb4efa4bc14a53a7e0af38c5 upstream. Changing uid/gid/projid mappings doesn't change your id within the namespace; it reconfigures the namespace. Unprivileged programs should *not* be able to write these files. (We're also checking the privileges on the wrong task.) Given the write-once nature of these files and the other security checks, this is likely impossible to usefully exploit. Signed-off-by: Andy Lutomirski Signed-off-by: Steve Conklin --- kernel/user_namespace.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 8660231..34e91b3 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -431,10 +431,10 @@ static ssize_t map_write(struct file *file, const char __user *buf, if (map->nr_extents != 0) goto out; - /* Require the appropriate privilege CAP_SETUID or CAP_SETGID - * over the user namespace in order to set the id mapping. + /* + * Adjusting namespace settings requires capabilities on the target. */ - if (!ns_capable(ns, cap_setid)) + if (!file_ns_capable(file, ns, CAP_SYS_ADMIN)) goto out; /* Get a buffer */