• Eric W. Biederman's avatar
    userns: Document what the invariant required for safe unprivileged mappings. · 0542f17b
    Eric W. Biederman authored
    The rule is simple.  Don't allow anything that wouldn't be allowed
    without unprivileged mappings.
    
    It was previously overlooked that establishing gid mappings would
    allow dropping groups and potentially gaining permission to files and
    directories that had lesser permissions for a specific group than for
    all other users.
    
    This is the rule needed to fix CVE-2014-8989 and prevent any other
    security issues with new_idmap_permitted.
    
    The reason for this rule is that the unix permission model is old and
    there are programs out there somewhere that take advantage of every
    little corner of it.  So allowing a uid or gid mapping to be
    established without privielge that would allow anything that would not
    be allowed without that mapping will result in expectations from some
    code somewhere being violated.  Violated expectations about the
    behavior of the OS is a long way to say a security issue.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    0542f17b
user_namespace.c 23 KB