[3.13.y-ckt stable] Patch "userns: Don't allow unprivileged creation of gid mappings" has been added to staging queue
Kamal Mostafa
kamal at canonical.com
Wed Jan 14 21:53:13 UTC 2015
This is a note to let you know that I have just added a patch titled
userns: Don't allow unprivileged creation of gid mappings
to the linux-3.13.y-queue branch of the 3.13.y-ckt extended stable tree
which can be found at:
http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue
This patch is scheduled to be released in version 3.13.11-ckt14.
If you, or anyone else, feels it should not be added to this tree, please
reply to this email.
For more information about the 3.13.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
Thanks.
-Kamal
------
>From 035ec337eb4852f7deb209fdcb5b0576c31acebc Mon Sep 17 00:00:00 2001
From: "Eric W. Biederman" <ebiederm at xmission.com>
Date: Fri, 5 Dec 2014 18:14:19 -0600
Subject: userns: Don't allow unprivileged creation of gid mappings
commit be7c6dba2332cef0677fbabb606e279ae76652c3 upstream.
As any gid mapping will allow and must allow for backwards
compatibility dropping groups don't allow any gid mappings to be
established without CAP_SETGID in the parent user namespace.
For a small class of applications this change breaks userspace
and removes useful functionality. This small class of applications
includes tools/testing/selftests/mount/unprivilged-remount-test.c
Most of the removed functionality will be added back with the addition
of a one way knob to disable setgroups. Once setgroups is disabled
setting the gid_map becomes as safe as setting the uid_map.
For more common applications that set the uid_map and the gid_map
with privilege this change will have no affect.
This is part of a fix for CVE-2014-8989.
Reviewed-by: Andy Lutomirski <luto at amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
kernel/user_namespace.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index a12b44f..8ee5170 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -816,11 +816,6 @@ static bool new_idmap_permitted(const struct file *file,
if (uid_eq(uid, cred->euid))
return true;
}
- else if (cap_setid == CAP_SETGID) {
- kgid_t gid = make_kgid(ns->parent, id);
- if (gid_eq(gid, file->f_cred->fsgid))
- return true;
- }
}
/* Allow anyone to set a mapping that doesn't require privilege */
--
1.9.1
More information about the kernel-team
mailing list