Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9e4a36ec authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

userns: Fail exec for suid and sgid binaries with ids outside our user namespace. 



Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent a7c1938e

fs/exec.c

+5 −0
Original line number Diff line number Diff line
@@ -1291,8 +1291,11 @@ int prepare_binprm(struct linux_binprm *bprm) 
	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {

		/* Set-uid? */

		if (mode & S_ISUID) {

			if (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid))

				return -EPERM;

			bprm->per_clear |= PER_CLEAR_ON_SETID;

			bprm->cred->euid = inode->i_uid;



		}



		/* Set-gid? */
@@ -1302,6 +1305,8 @@ int prepare_binprm(struct linux_binprm *bprm) 
		 * executable.

		 */

		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {

			if (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid))

				return -EPERM;

			bprm->per_clear |= PER_CLEAR_ON_SETID;

			bprm->cred->egid = inode->i_gid;

		}