Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e66eded8 authored Mar 13, 2013 by Eric W. Biederman Committed by Linus Torvalds Mar 13, 2013

userns: Don't allow CLONE_NEWUSER | CLONE_FS



Don't allowing sharing the root directory with processes in a
different user namespace.  There doesn't seem to be any point, and to
allow it would require the overhead of putting a user namespace
reference in fs_struct (for permission checks) and incrementing that
reference count on practically every call to fork.

So just perform the inexpensive test of forbidding sharing fs_struct
acrosss processes in different user namespaces.  We already disallow
other forms of threading when unsharing a user namespace so this
should be no real burden in practice.

This updates setns, clone, and unshare to disallow multiple user
namespaces sharing an fs_struct.

Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 6c23cbbd

kernel/fork.c

+4 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1141,6 +1141,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
	if ((clone_flags & (CLONE_NEWNS\|CLONE_FS)) == (CLONE_NEWNS\|CLONE_FS))		if ((clone_flags & (CLONE_NEWNS\|CLONE_FS)) == (CLONE_NEWNS\|CLONE_FS))
	return ERR_PTR(-EINVAL);		return ERR_PTR(-EINVAL);

			if ((clone_flags & (CLONE_NEWUSER\|CLONE_FS)) == (CLONE_NEWUSER\|CLONE_FS))
			return ERR_PTR(-EINVAL);

	/*		/*
	* Thread groups must share signals as well, and detached threads		* Thread groups must share signals as well, and detached threads
	* can only be started up within the thread group.		* can only be started up within the thread group.
	@@ -1807,7 +1810,7 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
	* If unsharing a user namespace must also unshare the thread.		* If unsharing a user namespace must also unshare the thread.
	*/		*/
	if (unshare_flags & CLONE_NEWUSER)		if (unshare_flags & CLONE_NEWUSER)
	unshare_flags \|= CLONE_THREAD;		unshare_flags \|= CLONE_THREAD \| CLONE_FS;
	/*		/*
	* If unsharing a pid namespace must also unshare the thread.		* If unsharing a pid namespace must also unshare the thread.
	*/		*/

kernel/user_namespace.c

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -21,6 +21,7 @@
	#include <linux/uaccess.h>		#include <linux/uaccess.h>
	#include <linux/ctype.h>		#include <linux/ctype.h>
	#include <linux/projid.h>		#include <linux/projid.h>
			#include <linux/fs_struct.h>

	static struct kmem_cache *user_ns_cachep __read_mostly;		static struct kmem_cache *user_ns_cachep __read_mostly;

	@@ -837,6 +838,9 @@ static int userns_install(struct nsproxy nsproxy, void ns)
	if (atomic_read(&current->mm->mm_users) > 1)		if (atomic_read(&current->mm->mm_users) > 1)
	return -EINVAL;		return -EINVAL;

			if (current->fs->users != 1)
			return -EINVAL;

	if (!ns_capable(user_ns, CAP_SYS_ADMIN))		if (!ns_capable(user_ns, CAP_SYS_ADMIN))
	return -EPERM;		return -EPERM;