[PATCH 23/24] sys:__sys_setresgid(): handle fsid mappings

[PATCH 00/24] user_namespace: introduce fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 19/24] sys:__sys_setgid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 15/24] commoncap:cap_bprm_set_creds(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 17/24] sys: __sys_setfsgid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 16/24] sys: __sys_setfsuid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 18/24] sys:__sys_setuid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 14/24] commoncap: cap_task_fix_setuid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 13/24] attr: notify_change(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 11/24] open: chown_common(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 12/24] posix_acl: handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 01/24] user_namespace: introduce fsid mappings infrastructure · Christian Brauner <hidden> · 2020-02-11
Re: [PATCH 01/24] user_namespace: introduce fsid mappings infrastructure · Randy Dunlap <hidden> · 2020-02-11
[PATCH 20/24] sys:__sys_setreuid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 07/24] namei: may_{o_}create(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 08/24] inode: inode_owner_or_capable(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 10/24] stat: handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 02/24] proc: add /proc/<pid>/fsuid_map · Christian Brauner <hidden> · 2020-02-11
[PATCH 03/24] proc: add /proc/<pid>/fsgid_map · Christian Brauner <hidden> · 2020-02-11
[PATCH 24/24] devpts: handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 09/24] capability: privileged_wrt_inode_uidgid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 22/24] sys:__sys_setresuid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 06/24] fs: add is_userns_visible() helper · Christian Brauner <hidden> · 2020-02-11
[PATCH 04/24] fsuidgid: add fsid mapping helpers · Christian Brauner <hidden> · 2020-02-11
[PATCH 05/24] proc: task_state(): use from_kfs{g,u}id_munged · Christian Brauner <hidden> · 2020-02-11
[PATCH 23/24] sys:__sys_setresgid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
[PATCH 21/24] sys:__sys_setregid(): handle fsid mappings · Christian Brauner <hidden> · 2020-02-11
Re: [PATCH 00/24] user_namespace: introduce fsid mappings · Jann Horn <jannh@google.com> · 2020-02-11
Re: [PATCH 00/24] user_namespace: introduce fsid mappings · Christian Brauner <hidden> · 2020-02-12
Re: [PATCH 00/24] user_namespace: introduce fsid mappings · Jann Horn <jannh@google.com> · 2020-02-12

STALE2306d

Revisions (3)

2020-02-11 v1 current
2020-02-14 v2 [diff vs current]
2020-02-18 v3 [diff vs current]

From: Christian Brauner <hidden>
Date: 2020-02-11 17:02:27
Also in: linux-fsdevel, linux-security-module, lkml
Subsystem: the rest · Maintainer: Linus Torvalds

Switch setresgid() to lookup fsids in the fsid mappings. If no fsid mappings are
setup the behavior is unchanged, i.e. fsids are looked up in the id mappings.

During setresgid() the kfsgid is set to the kegid corresponding the egid that is
requested by userspace. If the requested egid is -1 the kfsgid is reset to the
current kegid. For the latter case this means we need to lookup the
corresponding userspace egid corresponding to the current kegid in the id
mappings and translate this egid into the corresponding kfsgid in the fsid
mappings.

Signed-off-by: Christian Brauner <redacted>
---
 kernel/sys.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index 3b98ce84607d..674d0ba4887c 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c

@@ -750,11 +750,12 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
 	const struct cred *old;
 	struct cred *new;
 	int retval;
-	kgid_t krgid, kegid, ksgid;
+	kgid_t krgid, kegid, ksgid, kfsgid;
 
 	krgid = make_kgid(ns, rgid);
 	kegid = make_kgid(ns, egid);
 	ksgid = make_kgid(ns, sgid);
+	kfsgid = make_kfsgid(ns, egid);
 
 	if ((rgid != (gid_t) -1) && !gid_valid(krgid))
 		return -EINVAL;

@@ -762,6 +763,8 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
 		return -EINVAL;
 	if ((sgid != (gid_t) -1) && !gid_valid(ksgid))
 		return -EINVAL;
+	if ((egid != (gid_t) -1) && !gid_valid(kfsgid))
+		return -EINVAL;
 
 	new = prepare_creds();
 	if (!new)

@@ -783,11 +786,15 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
 
 	if (rgid != (gid_t) -1)
 		new->gid = krgid;
-	if (egid != (gid_t) -1)
+	if (egid != (gid_t) -1) {
 		new->egid = kegid;
+	} else {
+		gid_t fsgid = from_kgid_munged(new->user_ns, new->egid);
+		kfsgid = make_kfsgid(ns, fsgid);
+	}
 	if (sgid != (gid_t) -1)
 		new->sgid = ksgid;
-	new->fsgid = new->egid;
+	new->fsgid = kfsgid;
 
 	return commit_creds(new);

-- 
2.25.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help