• Eric W. Biederman's avatar
    userns: Add a knob to disable setgroups on a per user namespace basis · b3993755
    Eric W. Biederman authored
    commit 9cc46516 upstream.
    
    - Expose the knob to user space through a proc file /proc/<pid>/setgroups
    
      A value of "deny" means the setgroups system call is disabled in the
      current processes user namespace and can not be enabled in the
      future in this user namespace.
    
      A value of "allow" means the segtoups system call is enabled.
    
    - Descendant user namespaces inherit the value of setgroups from
      their parents.
    
    - A proc file is used (instead of a sysctl) as sysctls currently do
      not allow checking the permissions at open time.
    
    - Writing to the proc file is restricted to before the gid_map
      for the user namespace is set.
    
      This ensures that disabling setgroups at a user namespace
      level will never remove the ability to call setgroups
      from a process that already has that ability.
    
      A process may opt in to the setgroups disable for itself by
      creating, entering and configuring a user namespace or by calling
      setns on an existing user namespace with setgroups disabled.
      Processes without privileges already can not call setgroups so this
      is a noop.  Prodcess with privilege become processes without
      privilege when entering a user namespace and as with any other path
      to dropping privilege they would not have the ability to call
      setgroups.  So this remains within the bounds of what is possible
      without a knob to disable setgroups permanently in a user namespace.
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    b3993755
user.c 5.32 KB