From patchwork Tue Apr 26 19:30:37 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 8943631 Return-Path: X-Original-To: patchwork-selinux@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id C07DDBF29F for ; Tue, 26 Apr 2016 19:39:06 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id D54A02013D for ; Tue, 26 Apr 2016 19:39:05 +0000 (UTC) Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) by mail.kernel.org (Postfix) with ESMTP id 894AF201C7 for ; Tue, 26 Apr 2016 19:39:04 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.24,538,1454976000"; d="scan'208";a="15642693" IronPort-PHdr: =?us-ascii?q?9a23=3AMs93qR1/5CxIvTuBsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sekeKfad9pjvdHbS+e9qxAeQG96Lu7Qb2qGP6PiocFdDyKjCmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBy?= =?us-ascii?q?brysXNWC34LohqvroMWbSj4LrQT+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?= =?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6LoJvvRNWqTifqk+UacQTHF/azh0t4XXskyJ?= =?us-ascii?q?YBGO7TMjFC08kxdEDhLA5RewFsP8uCr3uudn3QGKOMztVrEzX3Kp6KI9DFfBjC?= =?us-ascii?q?oXPjg1/XuftM1qi+oPvhO7oDRtzojVfseRNfxjbuXaZ9xcWGkXGo5+TSFOSqCm?= =?us-ascii?q?aIIPSsoIJ/pdpo+181QUoBS9BSGoBeXy2jFPm3n61LE71OJnFhvJil8OBdUL5U?= =?us-ascii?q?/ZsNW9GqAISuC4weGc1jjfb7VY3i3m6IXFWhsop/aKXLl5dYzazkx5RFCNtUmZ?= =?us-ascii?q?tYGwZ2Dd7e8KqWXOqrM4De8=3D?= X-IPAS-Result: =?us-ascii?q?A2EEBQBXwx9X/wHyM5BeHAGDG4FQu3cfhzpMAQEBAQEBAgJ?= =?us-ascii?q?iJ4ItghUBAQQBAiQTFCALAwMJAQEXKQgIAwEoBRURBgEHCwUYBIgJxDoBCwEdh?= =?us-ascii?q?iGIWhEBhXQFjkiJSIFVjESJT4VAjzBiggUbFoFTTod5gTUBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Apr 2016 19:38:43 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QJcgld012275; Tue, 26 Apr 2016 15:38:43 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u3QJUsuX172225 for ; Tue, 26 Apr 2016 15:30:54 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u3QJUoHO010214 for ; Tue, 26 Apr 2016 15:30:54 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0A+BQAQwR9X/yUp0ApeHYMbgVCCc7R9i2JMAQEBAQEBZieEQgEFJ1IQCEksKwYBEogqxGeGIY5gBY5IiUiBVYxEiU+FQI8wYoE2AU4bFoFTHjCJLgEBAQ X-IPAS-Result: A0A+BQAQwR9X/yUp0ApeHYMbgVCCc7R9i2JMAQEBAQEBZieEQgEFJ1IQCEksKwYBEogqxGeGIY5gBY5IiUiBVYxEiU+FQI8wYoE2AU4bFoFTHjCJLgEBAQ X-IronPort-AV: E=Sophos;i="5.24,537,1454994000"; d="scan'208";a="5410357" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 26 Apr 2016 15:30:54 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3ABuIzKRN0CM6tvGtTJD8l6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0KfT4rarrMEGX3/hxlliBBdydsKIUzbWH+Pm7ASQp2tWojjMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JTnkb/jsMSIO01hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYP?= =?us-ascii?q?lc3mhyJFiezF7W78a0+4N/oWwL46pyv+YJa6jxfrw5QLpEF3xmdjltvIy4/SXE?= =?us-ascii?q?GEGi/HoXGlpQ2jBJDgTI9hTzWN255ibwt+dx1TOfFd3zTKsvWDOkqaxsTUmswA?= =?us-ascii?q?4DOi4w9m3akIROjbhc6Ea/pgZ465zZZoCLcv5/eL7NO9QASixcXZAVHwNbD4z0?= =?us-ascii?q?TJEIBupEHe9Cs4z0oRNaogGzCgqsLOfuzCJYiHjr26Ezz+UmF0fBxgN2TPwUt3?= =?us-ascii?q?GBl9jpNO88VvquzKTFhWHYYu9Wnzn68pPIfx0JqviKWrRxesPVj0IoElWW3R2r?= =?us-ascii?q?tYX5MmbNhaw2uG+B4r8lDLr3hg=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FNBQDdwB9X/3/oP4heHYMbgVCCc7R9i?= =?us-ascii?q?2JMAQEBAQEBAgJiJ4ItghUBBSdSEAgQOSwrBgESiCrEZ4YhjmAFjkiJSIFVjES?= =?us-ascii?q?JT4VAjzBigTYBThsWgVMeMIkuAQEB?= X-IPAS-Result: =?us-ascii?q?A0FNBQDdwB9X/3/oP4heHYMbgVCCc7R9i2JMAQEBAQEBAgJ?= =?us-ascii?q?iJ4ItghUBBSdSEAgQOSwrBgESiCrEZ4YhjmAFjkiJSIFVjESJT4VAjzBigTYBT?= =?us-ascii?q?hsWgVMeMIkuAQEB?= X-IronPort-AV: E=Sophos;i="5.24,537,1454976000"; d="scan'208";a="15642335" Received: from unknown (HELO ubuntu-hedt) ([136.63.232.127]) by emsm-gh1-uea11.nsa.gov with ESMTP; 26 Apr 2016 19:30:53 +0000 Received: by ubuntu-hedt (Postfix, from userid 1000) id 3457C3023A5; Tue, 26 Apr 2016 14:30:53 -0500 (CDT) From: Seth Forshee To: "Eric W. Biederman" , Alexander Viro , Greg Kroah-Hartman Subject: [PATCH v4 14/21] fs: Allow superblock owner to change ownership of inodes with unmappable ids Date: Tue, 26 Apr 2016 14:30:37 -0500 Message-Id: <1461699046-30485-15-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1461699046-30485-1-git-send-email-seth.forshee@canonical.com> References: <1461699046-30485-1-git-send-email-seth.forshee@canonical.com> X-Mailman-Approved-At: Tue, 26 Apr 2016 15:34:29 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: linux-bcache@vger.kernel.org, Serge Hallyn , Seth Forshee , dm-devel@redhat.com, Miklos Szeredi , Richard Weinberger , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, Pavel Tikhomirov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In a userns mount some on-disk inodes may have ids which do not map into s_user_ns, in which case the in-kernel inodes are owned by invalid users. The superblock owner should be able to change attributes of these inodes but cannot. However it is unsafe to grant the superblock owner privileged access to all inodes in the superblock since proc, sysfs, etc. use DAC to protect files which may not belong to s_user_ns. The problem is restricted to only inodes where the owner or group is an invalid user. We can work around this by allowing users with CAP_CHOWN in s_user_ns to change an invalid owner or group id, so long as the other id is either invalid or mappable in s_user_ns. After changing ownership the user will be privileged towards the inode and thus able to change other attributes. As an precaution, checks for invalid ids are added to the proc and kernfs setattr interfaces. These filesystems are not expected to have inodes with invalid ids, but if it does happen any setattr operations will return -EPERM. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn --- fs/attr.c | 62 ++++++++++++++++++++++++++++++++++++++++++++------- fs/kernfs/inode.c | 2 ++ fs/proc/base.c | 2 ++ fs/proc/generic.c | 3 +++ fs/proc/proc_sysctl.c | 2 ++ 5 files changed, 63 insertions(+), 8 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index 3cfaaac4a18e..06bb3f401559 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -16,6 +16,58 @@ #include #include +static bool chown_ok(const struct inode *inode, kuid_t uid) +{ + struct user_namespace *user_ns; + + if (uid_eq(current_fsuid(), inode->i_uid) && uid_eq(uid, inode->i_uid)) + return true; + if (capable_wrt_inode_uidgid(inode, CAP_CHOWN)) + return true; + + /* + * Inode uids/gids are of type kuid_t/kgid_t. As such, they can be + * a) INVALID_UID/INVALID_GID, b) valid and mappable into + * i_sb->s_user_ns, or c) valid but not mappable into + * i_sb->s_user_ns. + * + * For filesystems on user-supplied media ids will either be (a) or + * (b), so we permit CAP_CHOWN in s_user_ns to change INVALID_UID if + * the gid meets these conditions (and vice versa for INVALID_GID). + * + * For psuedo-filesystems like proc or sysfs ids will be either (b) + * or (c), so these conditions do not permit namespace-root to chown + * in those filesystems. + */ + user_ns = inode->i_sb->s_user_ns; + if (!uid_valid(inode->i_uid) && + (!gid_valid(inode->i_gid) || kgid_has_mapping(user_ns, inode->i_gid)) && + ns_capable(user_ns, CAP_CHOWN)) + return true; + + return false; +} + +static bool chgrp_ok(const struct inode *inode, kgid_t gid) +{ + struct user_namespace *user_ns; + + if (uid_eq(current_fsuid(), inode->i_uid) && + (in_group_p(gid) || gid_eq(gid, inode->i_gid))) + return true; + if (capable_wrt_inode_uidgid(inode, CAP_CHOWN)) + return true; + + /* Logic here is the same as in chown_ok(); see comment there. */ + user_ns = inode->i_sb->s_user_ns; + if (!gid_valid(inode->i_gid) && + (!uid_valid(inode->i_uid) || kuid_has_mapping(user_ns, inode->i_uid)) && + ns_capable(user_ns, CAP_CHOWN)) + return true; + + return false; +} + /** * inode_change_ok - check if attribute changes to an inode are allowed * @inode: inode to check @@ -58,17 +110,11 @@ int inode_change_ok(const struct inode *inode, struct iattr *attr) return 0; /* Make sure a caller can chown. */ - if ((ia_valid & ATTR_UID) && - (!uid_eq(current_fsuid(), inode->i_uid) || - !uid_eq(attr->ia_uid, inode->i_uid)) && - !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) + if ((ia_valid & ATTR_UID) && !chown_ok(inode, attr->ia_uid)) return -EPERM; /* Make sure caller can chgrp. */ - if ((ia_valid & ATTR_GID) && - (!uid_eq(current_fsuid(), inode->i_uid) || - (!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) && - !capable_wrt_inode_uidgid(inode, CAP_CHOWN)) + if ((ia_valid & ATTR_GID) && !chgrp_ok(inode, attr->ia_gid)) return -EPERM; /* Make sure a caller can chmod. */ diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c index 16405ae88d2d..2e97a337ee5f 100644 --- a/fs/kernfs/inode.c +++ b/fs/kernfs/inode.c @@ -117,6 +117,8 @@ int kernfs_iop_setattr(struct dentry *dentry, struct iattr *iattr) if (!kn) return -EINVAL; + if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) + return -EPERM; mutex_lock(&kernfs_mutex); error = inode_change_ok(inode, iattr); diff --git a/fs/proc/base.c b/fs/proc/base.c index b1755b23893e..648d623e2158 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -711,6 +711,8 @@ int proc_setattr(struct dentry *dentry, struct iattr *attr) if (attr->ia_valid & ATTR_MODE) return -EPERM; + if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) + return -EPERM; error = inode_change_ok(inode, attr); if (error) diff --git a/fs/proc/generic.c b/fs/proc/generic.c index ff3ffc76a937..1461570c552c 100644 --- a/fs/proc/generic.c +++ b/fs/proc/generic.c @@ -105,6 +105,9 @@ static int proc_notify_change(struct dentry *dentry, struct iattr *iattr) struct proc_dir_entry *de = PDE(inode); int error; + if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) + return -EPERM; + error = inode_change_ok(inode, iattr); if (error) return error; diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index fe5b6e6c4671..f5d575157194 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -752,6 +752,8 @@ static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr) if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) return -EPERM; + if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) + return -EPERM; error = inode_change_ok(inode, attr); if (error)