user namespaces: require cap_set{ug}id for CLONE_NEWUSER

While ideally CLONE_NEWUSER will eventually require no privilege, the required permission checks are currently not there. As a result, CLONE_NEWUSER has the same effect as a setuid(0)+setgroups(1,"0"). While we already require CAP_SYS_ADMIN, requiring CAP_SETUID and CAP_SETGID seems appropriate. Signed-off-by: N Serge E. Hallyn <serue@us.ibm.com> Acked-by: N "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: N James Morris <jmorris@namei.org>

user namespaces: require cap_set{ug}id for CLONE_NEWUSER
While ideally CLONE_NEWUSER will eventually require no privilege, the required permission checks are currently not there. As a result, CLONE_NEWUSER has the same effect as a setuid(0)+setgroups(1,"0"). While we already require CAP_SYS_ADMIN, requiring CAP_SETUID and CAP_SETGID seems appropriate. Signed-off-by: N Serge E. Hallyn <serue@us.ibm.com> Acked-by: N "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: N James Morris <jmorris@namei.org>
7657d904 · Serge E. Hallyn · James Morris · c37bbb0f · 7657d904
显示空白变更内容
内联并排

Showing with 2 addition and 1 deletion

kernel/fork.c kernel/fork.c +2 -1

未找到文件。
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1344,7 +1344,8 @@ long do_fork(unsigned long clone_flags,
 		/* hopefully this check will go away when userns support is
 		 * complete
 		 */
-		if (!capable(CAP_SYS_ADMIN))
+		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
+				!capable(CAP_SETGID))
 			return -EPERM;
 	}