Re: [PATCH 05/14] userns: clamp down users of cap_raised
From: Vasiliy Kulikov <hidden>
Date: 2011-07-28 23:23:52
Also in:
lkml
On Tue, Jul 26, 2011 at 18:58 +0000, Serge Hallyn wrote:
quoted hunk ↗ jump to hunk
From: Serge E. Hallyn <redacted> A few modules are using cap_raised(current_cap(), cap) to authorize actions, but the privilege should be applicable against the initial user namespace. Refuse privilege if the caller is not in init_user_ns. Signed-off-by: Serge E. Hallyn <redacted> Cc: Eric W. Biederman <redacted> --- drivers/block/drbd/drbd_nl.c | 5 +++++ drivers/md/dm-log-userspace-transfer.c | 3 +++ drivers/staging/pohmelfs/config.c | 3 +++ drivers/video/uvesafb.c | 3 +++ 4 files changed, 14 insertions(+), 0 deletions(-)diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c index 515bcd9..7717f8a 100644 --- a/drivers/block/drbd/drbd_nl.c +++ b/drivers/block/drbd/drbd_nl.c@@ -2297,6 +2297,11 @@ static void drbd_connector_callback(struct cn_msg *req, struct netlink_skb_parms return; } + if (current_user_ns() != &init_user_ns) {
[...]
if (!cap_raised(current_cap(), CAP_SYS_ADMIN)) {[...] Looks like it is an often pattern. Maybe move both checks to a function? Thanks, -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments