Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.12.48 2015-01-07T16:55:11Z 2015-01-07T16:55:11Z Eric W. Biederman ebiederm@xmission.com 2014-12-06T00:01:11Z urn:sha1:ae254fcf53097d6d83502c1a75366c7e4eface8b commit 273d2c67c3e179adb1e74f403d1e9a06e3f841b5 upstream. setgroups is unique in not needing a valid mapping before it can be called, in the case of setgroups(0, NULL) which drops all supplemental groups. The design of the user namespace assumes that CAP_SETGID can not actually be used until a gid mapping is established. Therefore add a helper function to see if the user namespace gid mapping has been established and call that function in the setgroups permission check. This is part of the fix for CVE-2014-8989, being able to drop groups without privilege using user namespaces. Reviewed-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2015-01-07T16:55:10Z Eric W. Biederman ebiederm@xmission.com 2014-12-05T23:19:27Z urn:sha1:281cac74a213639fa7a4d1b60553d011a4a11d6f commit 7ff4d90b4c24a03666f296c3d4878cd39001e81e upstream. Today there are 3 instances of setgroups and due to an oversight their permission checking has diverged. Add a common function so that they may all share the same permission checking code. This corrects the current oversight in the current permission checks and adds a helper to avoid this in the future. A user namespace security fix will update this new helper, shortly. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2013-08-31T06:44:11Z Eric W. Biederman ebiederm@xmission.com 2013-03-20T19:49:49Z urn:sha1:c7b96acf1456ef127fef461fcfedb54b81fecfbb nsown_capable is a special case of ns_capable essentially for just CAP_SETUID and CAP_SETGID. For the existing users it doesn't noticably simplify things and from the suggested patches I have seen it encourages people to do the wrong thing. So remove nsown_capable. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2012-05-03T10:29:33Z Eric W. Biederman ebiederm@xmission.com 2012-02-09T17:09:39Z urn:sha1:72cda3d1ef24ab0a9a89c15e9776ca737b75f45a Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> 2012-05-03T10:27:21Z Eric W. Biederman ebiederm@xmission.com 2011-11-14T23:56:38Z urn:sha1:ae2975bc3476243b45a1e2344236d7920c268f38 As a first step to converting struct cred to be all kuid_t and kgid_t values convert the group values stored in group_info to always be kgid_t values. Unless user namespaces are used this change should have no effect. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> 2011-10-31T13:20:12Z Paul Gortmaker paul.gortmaker@windriver.com 2011-05-23T18:51:41Z urn:sha1:9984de1a5a8a96275fcab818f7419af5a3c86e71 The changed files were only including linux/module.h for the EXPORT_SYMBOL infrastructure, and nothing else. Revector them onto the isolated export header for faster compile times. Nothing to see here but a whole lot of instances of: -#include <linux/module.h> +#include <linux/export.h> This commit is only changing the kernel dir; next targets will probably be mm, fs, the arch dirs, etc. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-03-24T02:47:08Z Serge E. Hallyn serge@hallyn.com 2011-03-23T23:43:24Z urn:sha1:b0e77598f87107001a00b8a4ece9c95e4254ccc4 CAP_IPC_OWNER and CAP_IPC_LOCK can be checked against current_user_ns(), because the resource comes from current's own ipc namespace. setuid/setgid are to uids in own namespace, so again checks can be against current_user_ns(). Changelog: Jan 11: Use task_ns_capable() in place of sched_capable(). Jan 11: Use nsown_capable() as suggested by Bastian Blank. Jan 11: Clarify (hopefully) some logic in futex and sched.c Feb 15: use ns_capable for ipc, not nsown_capable Feb 23: let copy_ipcs handle setting ipc_ns->user_ns Feb 23: pass ns down rather than taking it from current [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: Daniel Lezcano <daniel.lezcano@free.fr> Acked-by: David Howells <dhowells@redhat.com> Cc: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-09-10T01:57:24Z Jerome Marchand jmarchan@redhat.com 2010-09-09T23:37:59Z urn:sha1:1c24de60e50fb19b94d94225458da17c720f0729 gid_t is a unsigned int. If group_info contains a gid greater than MAX_INT, groups_search() function may look on the wrong side of the search tree. This solves some unfair "permission denied" problems. Signed-off-by: Jerome Marchand <jmarchan@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2010-04-12T02:19:18Z Eric Paris eparis@redhat.com 2010-04-07T19:15:13Z urn:sha1:6307f8fee295b364716d28686df6e69c2fee751a Unused hook. Remove. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org> 2009-06-17T02:47:48Z Alexey Dobriyan adobriyan@gmail.com 2009-06-16T22:33:40Z urn:sha1:30639b6af85a92491b22dd14c17b14ca11da60e6 Move supplementary groups implementation to kernel/groups.c . kernel/sys.c already accumulated quite a few random stuff. Do strictly copy/paste + add required headers to compile. Compile-tested on many configs and archs. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>