diff options
-rw-r--r-- | fs/proc/base.c | 97 | ||||
-rw-r--r-- | fs/proc/internal.h | 2 | ||||
-rw-r--r-- | fs/proc/namespaces.c | 1 | ||||
-rw-r--r-- | fs/proc/root.c | 7 | ||||
-rw-r--r-- | net/sysctl_net.c | 3 |
5 files changed, 109 insertions, 1 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c index 5eb02069e1b81..e77d972066d4e 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -83,6 +83,7 @@ #include <linux/pid_namespace.h> #include <linux/fs_struct.h> #include <linux/slab.h> +#include <linux/user_namespace.h> #ifdef CONFIG_HARDWALL #include <asm/hardwall.h> #endif @@ -628,6 +629,7 @@ int proc_setattr(struct dentry *dentry, struct iattr *attr) } static const struct inode_operations proc_def_inode_operations = { + .permission = proc_base_permission, .setattr = proc_setattr, }; @@ -1666,6 +1668,7 @@ out: } static const struct inode_operations proc_pid_link_inode_operations = { + .permission = proc_base_permission, .readlink = proc_pid_readlink, .follow_link = proc_pid_follow_link, .setattr = proc_setattr, @@ -2188,6 +2191,7 @@ static int proc_fd_permission(struct inode *inode, int mask) * proc directories can do almost nothing.. */ static const struct inode_operations proc_fd_inode_operations = { + .permission = proc_base_permission, .lookup = proc_lookupfd, .permission = proc_fd_permission, .setattr = proc_setattr, @@ -2241,6 +2245,7 @@ static const struct file_operations proc_fdinfo_operations = { * proc directories can do almost nothing.. */ static const struct inode_operations proc_fdinfo_inode_operations = { + .permission = proc_base_permission, .lookup = proc_lookupfdinfo, .setattr = proc_setattr, }; @@ -2477,6 +2482,7 @@ static struct dentry *proc_attr_dir_lookup(struct inode *dir, } static const struct inode_operations proc_attr_dir_inode_operations = { + .permission = proc_base_permission, .lookup = proc_attr_dir_lookup, .getattr = pid_getattr, .setattr = proc_setattr, @@ -2885,6 +2891,7 @@ static struct dentry *proc_tgid_base_lookup(struct inode *dir, struct dentry *de } static const struct inode_operations proc_tgid_base_inode_operations = { + .permission = proc_base_permission, .lookup = proc_tgid_base_lookup, .getattr = pid_getattr, .setattr = proc_setattr, @@ -3227,6 +3234,7 @@ static const struct file_operations proc_tid_base_operations = { }; static const struct inode_operations proc_tid_base_inode_operations = { + .permission = proc_base_permission, .lookup = proc_tid_base_lookup, .getattr = pid_getattr, .setattr = proc_setattr, @@ -3452,6 +3460,7 @@ static int proc_task_getattr(struct vfsmount *mnt, struct dentry *dentry, struct } static const struct inode_operations proc_task_inode_operations = { + .permission = proc_base_permission, .lookup = proc_task_lookup, .getattr = proc_task_getattr, .setattr = proc_setattr, @@ -3462,3 +3471,91 @@ static const struct file_operations proc_task_operations = { .readdir = proc_task_readdir, .llseek = default_llseek, }; + +static int proc_dac_permission_check(struct inode *inode, int mask, + struct user_namespace *inode_user_ns) +{ + unsigned int mode = inode->i_mode; + + mask &= MAY_READ | MAY_WRITE | MAY_EXEC | MAY_NOT_BLOCK; + + if (current_user_ns() != inode_user_ns) + goto other_perms; + + if (likely(current_fsuid() == inode->i_uid)) + mode >>= 6; + else { + if (in_group_p(inode->i_gid)) + mode >>= 3; + } + +other_perms: + /* + * If the DACs are ok we don't need any capability check. + */ + if ((mask & ~mode & (MAY_READ | MAY_WRITE | MAY_EXEC)) == 0) + return 0; + return -EACCES; +} + + +static int proc_userns_permission(struct inode *inode, int mask, + struct user_namespace *inode_user_ns) +{ + int ret; + /* + * Do the basic DAC permission checks. + */ + ret = proc_dac_permission_check(inode, mask, inode_user_ns); + if (ret != -EACCES) + return ret; + + ret = 0; + if (S_ISDIR(inode->i_mode)) { + /* DACs are overridable for directories */ + if (ns_capable(inode_user_ns, CAP_DAC_OVERRIDE)) + return 0; + if (!(mask & MAY_WRITE)) + if (ns_capable(inode_user_ns, CAP_DAC_READ_SEARCH)) + return 0; + return -EACCES; + } + /* + * Read/write DACs are always overridable. + * Executable DACs are overridable when there is + * at least one exec bit set. + */ + if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) + if (ns_capable(inode_user_ns, CAP_DAC_OVERRIDE)) + return 0; + + /* + * Searching includes executable on directories, else just read. + */ + mask &= MAY_READ | MAY_WRITE | MAY_EXEC; + if (mask == MAY_READ) + if (ns_capable(inode_user_ns, CAP_DAC_READ_SEARCH)) + return 0; + + return -EACCES; +} + +int proc_base_permission(struct inode *inode, int mask) +{ + struct user_namespace *inode_user_ns; + struct task_struct *task; + int ret; + + ret = -EACCES; + task = get_proc_task(inode); + if (!task) + return -ESRCH; + + inode_user_ns = get_user_ns(task_cred_xxx(task, user_ns)); + + ret = proc_userns_permission(inode, mask, inode_user_ns); + + put_user_ns(inode_user_ns); + put_task_struct(task); + return ret; +} diff --git a/fs/proc/internal.h b/fs/proc/internal.h index 7838e5cfec145..d6930a7cfb656 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -145,3 +145,5 @@ int proc_setattr(struct dentry *dentry, struct iattr *attr); extern const struct inode_operations proc_ns_dir_inode_operations; extern const struct file_operations proc_ns_dir_operations; +extern int proc_base_permission(struct inode *inode, int mask); + diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c index acc6eafaa2d2d..10a88a54626ba 100644 --- a/fs/proc/namespaces.c +++ b/fs/proc/namespaces.c @@ -179,6 +179,7 @@ out_no_task: } const struct inode_operations proc_ns_dir_inode_operations = { + .permission = proc_base_permission, .lookup = proc_ns_dir_lookup, .getattr = pid_getattr, .setattr = proc_setattr, diff --git a/fs/proc/root.c b/fs/proc/root.c index 9a8a2b77b8747..19128e0260f32 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -18,6 +18,7 @@ #include <linux/bitops.h> #include <linux/mount.h> #include <linux/pid_namespace.h> +#include <linux/user_namespace.h> #include "internal.h" @@ -62,6 +63,11 @@ static struct dentry *proc_mount(struct file_system_type *fs_type, } sb->s_flags |= MS_ACTIVE; + /* Guarantee that we are always in the init_user_ns + * Individually files are treated as exceptions. + */ + put_user_ns(sb->s_user_ns); + sb->s_user_ns = get_user_ns(&init_user_ns); } ei = PROC_I(sb->s_root->d_inode); @@ -84,6 +90,7 @@ static void proc_kill_sb(struct super_block *sb) } static struct file_system_type proc_fs_type = { + .fs_flags = FS_SAFE, .name = "proc", .mount = proc_mount, .kill_sb = proc_kill_sb, diff --git a/net/sysctl_net.c b/net/sysctl_net.c index ca84212cfbfed..077d68c34dda8 100644 --- a/net/sysctl_net.c +++ b/net/sysctl_net.c @@ -45,8 +45,9 @@ static int net_ctl_permissions(struct ctl_table_root *root, struct nsproxy *nsproxy, struct ctl_table *table) { + /* FIXME make this code fully userns aware */ /* Allow network administrator to have same access as root. */ - if (capable(CAP_NET_ADMIN)) { + if (ns_capable(nsproxy->net_ns->user_ns, CAP_NET_ADMIN)) { int mode = (table->mode >> 6) & 7; return (mode << 6) | (mode << 3) | mode; } |