userns: Only allow the creator of the userns unprivileged mappings

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If you did not create the user namespace and are allowed
to write to uid_map or gid_map you should already have the necessary
privilege in the parent user namespace to establish any mapping
you want so this will not affect userspace in practice.

Limiting unprivileged uid mapping establishment to the creator of the
user namespace makes it easier to verify all credentials obtained with
the uid mapping can be obtained without the uid mapping without
privilege.

Limiting unprivileged gid mapping establishment (which is temporarily
absent) to the creator of the user namespace also ensures that the
combination of uid and gid can already be obtained without privilege.

This is part of the fix for CVE-2014-8989.

Cc: stable@vger.kernel.org
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

Eric W. Biederman 11 years ago f95d7918 80dd00a2

+4 -2

1 changed file

expand all

kernel

user_namespace.c

+4 -2

kernel/user_namespace.c

··· 812 812 struct user_namespace *ns, int cap_setid, 813 813 struct uid_gid_map *new_map) 814 814 { 815 + const struct cred *cred = file->f_cred; 815 816 /* Don't allow mappings that would allow anything that wouldn't 816 817 * be allowed without the establishment of unprivileged mappings. 817 818 */ 818 - if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) { 819 + if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) && 820 + uid_eq(ns->owner, cred->euid)) { 819 821 u32 id = new_map->extent[0].lower_first; 820 822 if (cap_setid == CAP_SETUID) { 821 823 kuid_t uid = make_kuid(ns->parent, id); 822 - if (uid_eq(uid, file->f_cred->euid)) 824 + if (uid_eq(uid, cred->euid)) 823 825 return true; 824 826 } 825 827 }