userns: Only allow the creator of the userns unprivileged mappings

commit f95d7918bd1e724675de4940039f2865e5eec5fe upstream. If you did not create the user namespace and are allowed to write to uid_map or gid_map you should already have the necessary privilege in the parent user namespace to establish any mapping you want so this will not affect userspace in practice. Limiting unprivileged uid mapping establishment to the creator of the user namespace makes it easier to verify all credentials obtained with the uid mapping can be obtained without the uid mapping without privilege. Limiting unprivileged gid mapping establishment (which is temporarily absent) to the creator of the user namespace also ensures that the combination of uid and gid can already be obtained without privilege. This is part of the fix for CVE-2014-8989. Reviewed-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

userns: Only allow the creator of the userns unprivileged mappings
commit f95d7918bd1e724675de4940039f2865e5eec5fe upstream. If you did not create the user namespace and are allowed to write to uid_map or gid_map you should already have the necessary privilege in the parent user namespace to establish any mapping you want so this will not affect userspace in practice. Limiting unprivileged uid mapping establishment to the creator of the user namespace makes it easier to verify all credentials obtained with the uid mapping can be obtained without the uid mapping without privilege. Limiting unprivileged gid mapping establishment (which is temporarily absent) to the creator of the user namespace also ensures that the combination of uid and gid can already be obtained without privilege. This is part of the fix for CVE-2014-8989. Reviewed-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric W. Biederman · Greg Kroah-Hartman
1 parent 335f060430
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
kernel/user_namespace.c
@@ -812,14 +812,16 @@
 				struct user_namespace *ns, int cap_setid,
 				struct uid_gid_map *new_map)
 {
+	const struct cred *cred = file->f_cred;
 	/* Don't allow mappings that would allow anything that wouldn't
 	 * be allowed without the establishment of unprivileged mappings.
 	 */
-	if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
+	if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
+	    uid_eq(ns->owner, cred->euid)) {
 		u32 id = new_map->extent[0].lower_first;
 		if (cap_setid == CAP_SETUID) {
 			kuid_t uid = make_kuid(ns->parent, id);
-			if (uid_eq(uid, file->f_cred->euid))
+			if (uid_eq(uid, cred->euid))
 				return true;
 		}
 	}
...	...	@@ -812,14 +812,16 @@
812	812	struct user_namespace *ns, int cap_setid,
813	813	struct uid_gid_map *new_map)
814	814	{
	815	+ const struct cred *cred = file->f_cred;
815	816	/* Don't allow mappings that would allow anything that wouldn't
816	817	* be allowed without the establishment of unprivileged mappings.
817	818	*/
818		- if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
	819	+ if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
	820	+ uid_eq(ns->owner, cred->euid)) {
819	821	u32 id = new_map->extent[0].lower_first;
820	822	if (cap_setid == CAP_SETUID) {
821	823	kuid_t uid = make_kuid(ns->parent, id);
822		- if (uid_eq(uid, file->f_cred->euid))
	824	+ if (uid_eq(uid, cred->euid))
823	825	return true;
824	826	}
825	827	}