diff options
Diffstat (limited to 'userns-Only-allow-the-creator-of-the-userns-unprivil.patch')
| -rw-r--r-- | userns-Only-allow-the-creator-of-the-userns-unprivil.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/userns-Only-allow-the-creator-of-the-userns-unprivil.patch b/userns-Only-allow-the-creator-of-the-userns-unprivil.patch new file mode 100644 index 000000000..8381b14e3 --- /dev/null +++ b/userns-Only-allow-the-creator-of-the-userns-unprivil.patch @@ -0,0 +1,54 @@ +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Wed, 26 Nov 2014 23:22:14 -0600 +Subject: [PATCH] userns: Only allow the creator of the userns unprivileged + mappings + +If you did not create the user namespace and are allowed +to write to uid_map or gid_map you should already have the necessary +privilege in the parent user namespace to establish any mapping +you want so this will not affect userspace in practice. + +Limiting unprivileged uid mapping establishment to the creator of the +user namespace makes it easier to verify all credentials obtained with +the uid mapping can be obtained without the uid mapping without +privilege. + +Limiting unprivileged gid mapping establishment (which is temporarily +absent) to the creator of the user namespace also ensures that the +combination of uid and gid can already be obtained without privilege. + +This is part of the fix for CVE-2014-8989. + +Cc: stable@vger.kernel.org +Reviewed-by: Andy Lutomirski <luto@amacapital.net> +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +--- + kernel/user_namespace.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 9451b12a9b6c..1e34de2fbd60 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -812,14 +812,16 @@ static bool new_idmap_permitted(const struct file *file, + struct user_namespace *ns, int cap_setid, + struct uid_gid_map *new_map) + { ++ const struct cred *cred = file->f_cred; + /* Don't allow mappings that would allow anything that wouldn't + * be allowed without the establishment of unprivileged mappings. + */ +- if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) { ++ if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && ++ uid_eq(ns->owner, cred->euid)) { + u32 id = new_map->extent[0].lower_first; + if (cap_setid == CAP_SETUID) { + kuid_t uid = make_kuid(ns->parent, id); +- if (uid_eq(uid, file->f_cred->euid)) ++ if (uid_eq(uid, cred->euid)) + return true; + } + } +-- +2.1.0 + |