kernel/userns-Only-allow-the-creator-of-the-userns-unprivil.patch

From: "Eric W. Biederman" <ebiederm@xmission.com>
Date: Wed, 26 Nov 2014 23:22:14 -0600
Subject: [PATCH] userns: Only allow the creator of the userns unprivileged
 mappings

If you did not create the user namespace and are allowed
to write to uid_map or gid_map you should already have the necessary
privilege in the parent user namespace to establish any mapping
you want so this will not affect userspace in practice.

Limiting unprivileged uid mapping establishment to the creator of the
user namespace makes it easier to verify all credentials obtained with
the uid mapping can be obtained without the uid mapping without
privilege.

Limiting unprivileged gid mapping establishment (which is temporarily
absent) to the creator of the user namespace also ensures that the
combination of uid and gid can already be obtained without privilege.

This is part of the fix for CVE-2014-8989.

Cc: stable@vger.kernel.org
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
 kernel/user_namespace.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 9451b12a9b6c..1e34de2fbd60 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -812,14 +812,16 @@ static bool new_idmap_permitted(const struct file *file,
 				struct user_namespace *ns, int cap_setid,
 				struct uid_gid_map *new_map)
 {
+	const struct cred *cred = file->f_cred;
 	/* Don't allow mappings that would allow anything that wouldn't
 	 * be allowed without the establishment of unprivileged mappings.
 	 */
-	if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
+	if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
+	    uid_eq(ns->owner, cred->euid)) {
 		u32 id = new_map->extent[0].lower_first;
 		if (cap_setid == CAP_SETUID) {
 			kuid_t uid = make_kuid(ns->parent, id);
-			if (uid_eq(uid, file->f_cred->euid))
+			if (uid_eq(uid, cred->euid))
 				return true;
 		}
 	}
-- 
2.1.0
CVE-2014-8989 userns can bypass group restrictions (rhbz 1170684 1170688) 2014-12-18 21:17:32 +00:00			`From: "Eric W. Biederman" <ebiederm@xmission.com>`
			`Date: Wed, 26 Nov 2014 23:22:14 -0600`
			`Subject: [PATCH] userns: Only allow the creator of the userns unprivileged`
			`mappings`

			`If you did not create the user namespace and are allowed`
			`to write to uid_map or gid_map you should already have the necessary`
			`privilege in the parent user namespace to establish any mapping`
			`you want so this will not affect userspace in practice.`

			`Limiting unprivileged uid mapping establishment to the creator of the`
			`user namespace makes it easier to verify all credentials obtained with`
			`the uid mapping can be obtained without the uid mapping without`
			`privilege.`

			`Limiting unprivileged gid mapping establishment (which is temporarily`
			`absent) to the creator of the user namespace also ensures that the`
			`combination of uid and gid can already be obtained without privilege.`

			`This is part of the fix for CVE-2014-8989.`

			`Cc: stable@vger.kernel.org`
			`Reviewed-by: Andy Lutomirski <luto@amacapital.net>`
			`Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>`
			`---`
			`kernel/user_namespace.c \| 6 ++++--`
			`1 file changed, 4 insertions(+), 2 deletions(-)`

			`diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c`
			`index 9451b12a9b6c..1e34de2fbd60 100644`
			`--- a/kernel/user_namespace.c`
			`+++ b/kernel/user_namespace.c`
			`@@ -812,14 +812,16 @@ static bool new_idmap_permitted(const struct file *file,`
			`struct user_namespace *ns, int cap_setid,`
			`struct uid_gid_map *new_map)`
			`{`
			`+ const struct cred *cred = file->f_cred;`
			`/* Don't allow mappings that would allow anything that wouldn't`
			`* be allowed without the establishment of unprivileged mappings.`
			`*/`
			`- if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {`
			`+ if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&`
			`+ uid_eq(ns->owner, cred->euid)) {`
			`u32 id = new_map->extent[0].lower_first;`
			`if (cap_setid == CAP_SETUID) {`
			`kuid_t uid = make_kuid(ns->parent, id);`
			`- if (uid_eq(uid, file->f_cred->euid))`
			`+ if (uid_eq(uid, cred->euid))`
			`return true;`
			`}`
			`}`
			`--`
			`2.1.0`