Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=v4.6.3 2016-03-22T22:36:02+00:00 2016-03-22T22:36:02+00:00 Jann Horn jann@thejh.net 2016-03-22T21:25:36+00:00 urn:sha1:378c6520e7d29280f400ef2ceaf155c86f05a71a This commit fixes the following security hole affecting systems where all of the following conditions are fulfilled: - The fs.suid_dumpable sysctl is set to 2. - The kernel.core_pattern sysctl's value starts with "/". (Systems where kernel.core_pattern starts with "|/" are not affected.) - Unprivileged user namespace creation is permitted. (This is true on Linux >=3.8, but some distributions disallow it by default using a distro patch.) Under these conditions, if a program executes under secure exec rules, causing it to run with the SUID_DUMP_ROOT flag, then unshares its user namespace, changes its root directory and crashes, the coredump will be written using fsuid=0 and a path derived from kernel.core_pattern - but this path is interpreted relative to the root directory of the process, allowing the attacker to control where a coredump will be written with root privileges. To fix the security issue, always interpret core_pattern for dumps that are written under SUID_DUMP_ROOT relative to the root directory of init. Signed-off-by: Jann Horn <jann@thejh.net> Acked-by: Kees Cook <keescook@chromium.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2016-01-04T15:29:45+00:00 Al Viro viro@zeniv.linux.org.uk 2016-01-02T19:53:28+00:00 urn:sha1:793b796ebfcb3157fe80056a719096a550f0c7d0 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2013-11-17T10:27:35+00:00 Richard Weinberger richard@nod.at 2013-09-23T15:38:03+00:00 urn:sha1:a1850e9c7282db1c19a18093a945d5e84bfe7418 As we have a sane show_stack() now, we can drop the ->saved_task hack. Signed-off-by: Richard Weinberger <richard@nod.at> 2013-06-19T08:37:57+00:00 Al Viro viro@zeniv.linux.org.uk 2013-06-19T08:35:42+00:00 urn:sha1:c9036e9f3b2b77f678572260e1ef1075fcb08c36 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2013-04-09T18:16:38+00:00 David Howells dhowells@redhat.com 2013-04-04T15:58:25+00:00 urn:sha1:4554eb90659eb3132f41968b77511d7263b631f0 Adjust printk in create_proc_mconsole() to reflect it is now using proc_create() not create_proc_mconsole(). Signed-off-by: David Howells <dhowells@redhat.com> 2012-12-17T23:44:47+00:00 Linus Torvalds torvalds@linux-foundation.org 2012-12-17T23:44:47+00:00 urn:sha1:6a2b60b17b3e48a418695a94bd2420f6ab32e519 Pull user namespace changes from Eric Biederman: "While small this set of changes is very significant with respect to containers in general and user namespaces in particular. The user space interface is now complete. This set of changes adds support for unprivileged users to create user namespaces and as a user namespace root to create other namespaces. The tyranny of supporting suid root preventing unprivileged users from using cool new kernel features is broken. This set of changes completes the work on setns, adding support for the pid, user, mount namespaces. This set of changes includes a bunch of basic pid namespace cleanups/simplifications. Of particular significance is the rework of the pid namespace cleanup so it no longer requires sending out tendrils into all kinds of unexpected cleanup paths for operation. At least one case of broken error handling is fixed by this cleanup. The files under /proc/<pid>/ns/ have been converted from regular files to magic symlinks which prevents incorrect caching by the VFS, ensuring the files always refer to the namespace the process is currently using and ensuring that the ptrace_mayaccess permission checks are always applied. The files under /proc/<pid>/ns/ have been given stable inode numbers so it is now possible to see if different processes share the same namespaces. Through the David Miller's net tree are changes to relax many of the permission checks in the networking stack to allowing the user namespace root to usefully use the networking stack. Similar changes for the mount namespace and the pid namespace are coming through my tree. Two small changes to add user namespace support were commited here adn in David Miller's -net tree so that I could complete the work on the /proc/<pid>/ns/ files in this tree. Work remains to make it safe to build user namespaces and 9p, afs, ceph, cifs, coda, gfs2, ncpfs, nfs, nfsd, ocfs2, and xfs so the Kconfig guard remains in place preventing that user namespaces from being built when any of those filesystems are enabled. Future design work remains to allow root users outside of the initial user namespace to mount more than just /proc and /sys." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (38 commits) proc: Usable inode numbers for the namespace file descriptors. proc: Fix the namespace inode permission checks. proc: Generalize proc inode allocation userns: Allow unprivilged mounts of proc and sysfs userns: For /proc/self/{uid,gid}_map derive the lower userns from the struct file procfs: Print task uids and gids in the userns that opened the proc file userns: Implement unshare of the user namespace userns: Implent proc namespace operations userns: Kill task_user_ns userns: Make create_new_namespaces take a user_ns parameter userns: Allow unprivileged use of setns. userns: Allow unprivileged users to create new namespaces userns: Allow setting a userns mapping to your current uid. userns: Allow chown and setgid preservation userns: Allow unprivileged users to create user namespaces. userns: Ignore suid and sgid on binaries if the uid or gid can not be mapped userns: fix return value on mntns_install() failure vfs: Allow unprivileged manipulation of the mount namespace. vfs: Only support slave subtrees across different user namespaces vfs: Add a user namespace reference from struct mnt_namespace ... 2012-11-19T13:59:09+00:00 Eric W. Biederman ebiederm@xmission.com 2010-03-02T22:51:53+00:00 urn:sha1:17cf22c33e1f1b5e435469c84e43872579497653 The expressions tsk->nsproxy->pid_ns and task_active_pid_ns aka ns_of_pid(task_pid(tsk)) should have the same number of cache line misses with the practical difference that ns_of_pid(task_pid(tsk)) is released later in a processes life. Furthermore by using task_active_pid_ns it becomes trivial to write an unshare implementation for the the pid namespace. So I have used task_active_pid_ns everywhere I can. In fork since the pid has not yet been attached to the process I use ns_of_pid, to achieve the same effect. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> 2012-10-23T21:54:06+00:00 Frederic Weisbecker fweisbec@gmail.com 2012-10-10T23:47:16+00:00 urn:sha1:4d9a5d4319e22670ec6d6227e12b54f361c46d0f It's only there to call rcu_user_hooks_switch(). Let's just call rcu_user_hooks_switch() directly, we don't need this function in the middle. Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com> Cc: Josh Triplett <josh@joshtriplett.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Richard Weinberger <richard@nod.at> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> 2012-10-10T02:15:20+00:00 Linus Torvalds torvalds@linux-foundation.org 2012-10-10T02:15:20+00:00 urn:sha1:f59b51fe3d3092c08d7d554ecb40db24011b2ebc Pull UML changes from Richard Weinberger: "UML receives this time only cleanups. The most outstanding change is the 'include "foo.h"' do 'include <foo.h>' conversion done by Al Viro. It touches many files, that's why the diffstat is rather big." * 'for-linus-37rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml: typo in UserModeLinux-HOWTO hppfs: fix the return value of get_inode() hostfs: drop vmtruncate um: get rid of pointless include "..." where include <...> will do um: move sysrq.h out of include/shared um/x86: merge 32 and 64 bit variants of ptrace.h um/x86: merge 32 and 64bit variants of checksum.h 2012-10-09T20:28:45+00:00 Al Viro viro@ZenIV.linux.org.uk 2012-10-08T02:27:32+00:00 urn:sha1:37185b33240870719b6b5913a46e6a441f1ae96f Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Richard Weinberger <richard@nod.at>