nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

userns: Fail exec for suid and sgid binaries with ids outside our user namespace.

Browse source 
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
Eric W. Biederman 2011-11-16 23:37:59 -08:00
parent a7c1938e22
commit 9e4a36ece6
1 changed files with 5 additions and 0 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

5
fs/exec.c
View file

@ -1291,8 +1291,11 @@ int prepare_binprm(struct linux_binprm *bprm)
if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
/* Set-uid? */ /* Set-uid? */
if (mode & S_ISUID) { if (mode & S_ISUID) {
if (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid))
return -EPERM;
bprm->per_clear |= PER_CLEAR_ON_SETID; bprm->per_clear |= PER_CLEAR_ON_SETID;
bprm->cred->euid = inode->i_uid; bprm->cred->euid = inode->i_uid;
} }
/* Set-gid? */ /* Set-gid? */
@ -1302,6 +1305,8 @@ int prepare_binprm(struct linux_binprm *bprm)
* executable. * executable.
*/ */
if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
if (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid))
return -EPERM;
bprm->per_clear |= PER_CLEAR_ON_SETID; bprm->per_clear |= PER_CLEAR_ON_SETID;
bprm->cred->egid = inode->i_gid; bprm->cred->egid = inode->i_gid;
} }