• Linus Torvalds's avatar
    Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · 87c31b39
    Linus Torvalds authored
    Pull user namespace related fixes from Eric Biederman:
     "As these are bug fixes almost all of thes changes are marked for
      backporting to stable.
    
      The first change (implicitly adding MNT_NODEV on remount) addresses a
      regression that was created when security issues with unprivileged
      remount were closed.  I go on to update the remount test to make it
      easy to detect if this issue reoccurs.
    
      Then there are a handful of mount and umount related fixes.
    
      Then half of the changes deal with the a recently discovered design
      bug in the permission checks of gid_map.  Unix since the beginning has
      allowed setting group permissions on files to less than the user and
      other permissions (aka ---rwx---rwx).  As the unix permission checks
      stop as soon as a group matches, and setgroups allows setting groups
      that can not later be dropped, results in a situtation where it is
      possible to legitimately use a group to assign fewer privileges to a
      process.  Which means dropping a group can increase a processes
      privileges.
    
      The fix I have adopted is that gid_map is now no longer writable
      without privilege unless the new file /proc/self/setgroups has been
      set to permanently disable setgroups.
    
      The bulk of user namespace using applications even the applications
      using applications using user namespaces without privilege remain
      unaffected by this change.  Unfortunately this ix breaks a couple user
      space applications, that were relying on the problematic behavior (one
      of which was tools/selftests/mount/unprivileged-remount-test.c).
    
      To hopefully prevent needing a regression fix on top of my security
      fix I rounded folks who work with the container implementations mostly
      like to be affected and encouraged them to test the changes.
    
        > So far nothing broke on my libvirt-lxc test bed. :-)
        > Tested with openSUSE 13.2 and libvirt 1.2.9.
        > Tested-by: Richard Weinberger <richard@nod.at>
    
        > Tested on Fedora20 with libvirt 1.2.11, works fine.
        > Tested-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
    
        > Ok, thanks - yes, unprivileged lxc is working fine with your kernels.
        > Just to be sure I was testing the right thing I also tested using
        > my unprivileged nsexec testcases, and they failed on setgroup/setgid
        > as now expected, and succeeded there without your patches.
        > Tested-by: Serge Hallyn <serge.hallyn@ubuntu.com>
    
        > I tested this with Sandstorm.  It breaks as is and it works if I add
        > the setgroups thing.
        > Tested-by: Andy Lutomirski <luto@amacapital.net> # breaks things as designed :("
    
    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
      userns: Unbreak the unprivileged remount tests
      userns; Correct the comment in map_write
      userns: Allow setting gid_maps without privilege when setgroups is disabled
      userns: Add a knob to disable setgroups on a per user namespace basis
      userns: Rename id_map_mutex to userns_state_mutex
      userns: Only allow the creator of the userns unprivileged mappings
      userns: Check euid no fsuid when establishing an unprivileged uid mapping
      userns: Don't allow unprivileged creation of gid mappings
      userns: Don't allow setgroups until a gid mapping has been setablished
      userns: Document what the invariant required for safe unprivileged mappings.
      groups: Consolidate the setgroups permission checks
      mnt: Clear mnt_expire during pivot_root
      mnt: Carefully set CL_UNPRIVILEGED in clone_mnt
      mnt: Move the clear of MNT_LOCKED from copy_tree to it's callers.
      umount: Do not allow unmounting rootfs.
      umount: Disallow unprivileged mount force
      mnt: Update unprivileged remount test
      mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount
    87c31b39
base.c 75.6 KB