diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/lsm.c | 5 | ||||
| -rw-r--r-- | security/commoncap.c | 38 | ||||
| -rw-r--r-- | security/security.c | 16 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 13 | 
4 files changed, 52 insertions, 20 deletions
| diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index d21a427a35a..ae3a698415e 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -22,6 +22,7 @@  #include <linux/ctype.h>  #include <linux/sysctl.h>  #include <linux/audit.h> +#include <linux/user_namespace.h>  #include <net/sock.h>  #include "include/apparmor.h" @@ -136,11 +137,11 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,  }  static int apparmor_capable(struct task_struct *task, const struct cred *cred, -			    int cap, int audit) +			    struct user_namespace *ns, int cap, int audit)  {  	struct aa_profile *profile;  	/* cap_capable returns 0 on success, else -EPERM */ -	int error = cap_capable(task, cred, cap, audit); +	int error = cap_capable(task, cred, ns, cap, audit);  	if (!error) {  		profile = aa_cred_profile(cred);  		if (!unconfined(profile)) diff --git a/security/commoncap.c b/security/commoncap.c index 49c57fd60ae..43a205bc7d7 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -27,6 +27,7 @@  #include <linux/sched.h>  #include <linux/prctl.h>  #include <linux/securebits.h> +#include <linux/user_namespace.h>  /*   * If a non-root user executes a setuid-root binary in @@ -67,6 +68,7 @@ EXPORT_SYMBOL(cap_netlink_recv);   * cap_capable - Determine whether a task has a particular effective capability   * @tsk: The task to query   * @cred: The credentials to use + * @ns:  The user namespace in which we need the capability   * @cap: The capability to check for   * @audit: Whether to write an audit message or not   * @@ -78,10 +80,30 @@ EXPORT_SYMBOL(cap_netlink_recv);   * cap_has_capability() returns 0 when a task has a capability, but the   * kernel's capable() and has_capability() returns 1 for this case.   */ -int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap, -		int audit) +int cap_capable(struct task_struct *tsk, const struct cred *cred, +		struct user_namespace *targ_ns, int cap, int audit)  { -	return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; +	for (;;) { +		/* The creator of the user namespace has all caps. */ +		if (targ_ns != &init_user_ns && targ_ns->creator == cred->user) +			return 0; + +		/* Do we have the necessary capabilities? */ +		if (targ_ns == cred->user->user_ns) +			return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; + +		/* Have we tried all of the parent namespaces? */ +		if (targ_ns == &init_user_ns) +			return -EPERM; + +		/* +		 *If you have a capability in a parent user ns, then you have +		 * it over all children user namespaces as well. +		 */ +		targ_ns = targ_ns->creator->user_ns; +	} + +	/* We never get here */  }  /** @@ -176,7 +198,8 @@ static inline int cap_inh_is_capped(void)  	/* they are so limited unless the current task has the CAP_SETPCAP  	 * capability  	 */ -	if (cap_capable(current, current_cred(), CAP_SETPCAP, +	if (cap_capable(current, current_cred(), +			current_cred()->user->user_ns, CAP_SETPCAP,  			SECURITY_CAP_AUDIT) == 0)  		return 0;  	return 1; @@ -828,7 +851,8 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,  		     & (new->securebits ^ arg2))			/*[1]*/  		    || ((new->securebits & SECURE_ALL_LOCKS & ~arg2))	/*[2]*/  		    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))	/*[3]*/ -		    || (cap_capable(current, current_cred(), CAP_SETPCAP, +		    || (cap_capable(current, current_cred(), +				    current_cred()->user->user_ns, CAP_SETPCAP,  				    SECURITY_CAP_AUDIT) != 0)		/*[4]*/  			/*  			 * [1] no changing of bits that are locked @@ -893,7 +917,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)  {  	int cap_sys_admin = 0; -	if (cap_capable(current, current_cred(), CAP_SYS_ADMIN, +	if (cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_ADMIN,  			SECURITY_CAP_NOAUDIT) == 0)  		cap_sys_admin = 1;  	return __vm_enough_memory(mm, pages, cap_sys_admin); @@ -920,7 +944,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,  	int ret = 0;  	if (addr < dac_mmap_min_addr) { -		ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO, +		ret = cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_RAWIO,  				  SECURITY_CAP_AUDIT);  		/* set PF_SUPERPRIV if it turns out we allow the low mmap */  		if (ret == 0) diff --git a/security/security.c b/security/security.c index 9187665a3fd..101142369db 100644 --- a/security/security.c +++ b/security/security.c @@ -154,29 +154,33 @@ int security_capset(struct cred *new, const struct cred *old,  				    effective, inheritable, permitted);  } -int security_capable(const struct cred *cred, int cap) +int security_capable(struct user_namespace *ns, const struct cred *cred, +		     int cap)  { -	return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT); +	return security_ops->capable(current, cred, ns, cap, +				     SECURITY_CAP_AUDIT);  } -int security_real_capable(struct task_struct *tsk, int cap) +int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, +			  int cap)  {  	const struct cred *cred;  	int ret;  	cred = get_task_cred(tsk); -	ret = security_ops->capable(tsk, cred, cap, SECURITY_CAP_AUDIT); +	ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_AUDIT);  	put_cred(cred);  	return ret;  } -int security_real_capable_noaudit(struct task_struct *tsk, int cap) +int security_real_capable_noaudit(struct task_struct *tsk, +				  struct user_namespace *ns, int cap)  {  	const struct cred *cred;  	int ret;  	cred = get_task_cred(tsk); -	ret = security_ops->capable(tsk, cred, cap, SECURITY_CAP_NOAUDIT); +	ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_NOAUDIT);  	put_cred(cred);  	return ret;  } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 6475e1f0223..c67f863d354 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -79,6 +79,7 @@  #include <linux/mutex.h>  #include <linux/posix-timers.h>  #include <linux/syslog.h> +#include <linux/user_namespace.h>  #include "avc.h"  #include "objsec.h" @@ -1846,11 +1847,11 @@ static int selinux_capset(struct cred *new, const struct cred *old,   */  static int selinux_capable(struct task_struct *tsk, const struct cred *cred, -			   int cap, int audit) +			   struct user_namespace *ns, int cap, int audit)  {  	int rc; -	rc = cap_capable(tsk, cred, cap, audit); +	rc = cap_capable(tsk, cred, ns, cap, audit);  	if (rc)  		return rc; @@ -1931,7 +1932,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)  {  	int rc, cap_sys_admin = 0; -	rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN, +	rc = selinux_capable(current, current_cred(), +			     &init_user_ns, CAP_SYS_ADMIN,  			     SECURITY_CAP_NOAUDIT);  	if (rc == 0)  		cap_sys_admin = 1; @@ -2834,7 +2836,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name  	 * and lack of permission just means that we fall back to the  	 * in-core context value, not a denial.  	 */ -	error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN, +	error = selinux_capable(current, current_cred(), +				&init_user_ns, CAP_MAC_ADMIN,  				SECURITY_CAP_NOAUDIT);  	if (!error)  		error = security_sid_to_context_force(isec->sid, &context, @@ -2968,7 +2971,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,  	case KDSKBENT:  	case KDSKBSENT:  		error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG, -					    SECURITY_CAP_AUDIT); +					SECURITY_CAP_AUDIT);  		break;  	/* default case assumes that the command will go | 
