41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
|
Date: Fri, 5 Dec 2014 19:36:04 -0600
|
|
Subject: [PATCH] userns: Allow setting gid_maps without privilege when
|
|
setgroups is disabled
|
|
|
|
Now that setgroups can be disabled and not reenabled, setting gid_map
|
|
without privielge can now be enabled when setgroups is disabled.
|
|
|
|
This restores most of the functionality that was lost when unprivileged
|
|
setting of gid_map was removed. Applications that use this functionality
|
|
will need to check to see if they use setgroups or init_groups, and if they
|
|
don't they can be fixed by simply disabling setgroups before writing to
|
|
gid_map.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
|
|
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
|
---
|
|
kernel/user_namespace.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
|
|
index 6e80f4c1322b..a2e37c5d2f63 100644
|
|
--- a/kernel/user_namespace.c
|
|
+++ b/kernel/user_namespace.c
|
|
@@ -826,6 +826,11 @@ static bool new_idmap_permitted(const struct file *file,
|
|
kuid_t uid = make_kuid(ns->parent, id);
|
|
if (uid_eq(uid, cred->euid))
|
|
return true;
|
|
+ } else if (cap_setid == CAP_SETGID) {
|
|
+ kgid_t gid = make_kgid(ns->parent, id);
|
|
+ if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
|
|
+ gid_eq(gid, cred->egid))
|
|
+ return true;
|
|
}
|
|
}
|
|
|
|
--
|
|
2.1.0
|
|
|