diff mbox

devpts: Make ptmx be owned by the userns owner instead of userns-local 0

Message ID fd99f5e7144be5de87c88e069cd5edb36136eefd.1457931898.git.luto@kernel.org (mailing list archive)
State New, archived
Headers show

Commit Message

Andy Lutomirski March 14, 2016, 5:06 a.m. UTC
We used to have ptmx be owned by the inner uid and gid 0.  Change
this: if the owner and group are both mapped but are not both 0,
then use the owner instead.

For container-style namespaces (LXC, etc), this should have no
effect -- UID 0 is will either be the owner or will be unmapped.

The important behavior change is for sandboxes: many sandboxes
intentionally do not create an inner uid 0.  Without this patch,
mounting devpts in such a sandbox is awkward.  With this patch, it
will just work and ptmx will be owned by the namespace owner.

Cc: Alexander Larsson <alexl@redhat.com>
Cc: mclasen@redhat.com
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
 fs/devpts/inode.c | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

Comments

Serge E. Hallyn March 14, 2016, 8:35 a.m. UTC | #1
Quoting Andy Lutomirski (luto@kernel.org):
> We used to have ptmx be owned by the inner uid and gid 0.  Change
> this: if the owner and group are both mapped but are not both 0,
> then use the owner instead.
> 
> For container-style namespaces (LXC, etc), this should have no
> effect -- UID 0 is will either be the owner or will be unmapped.

This doesn't seem right - it's often the case that the owner is mapped
in as non-0 uid, safe or not.  The actual namespace root uid should be
the owner (so long as it exists).

Why not reverse the cases?  If 0 is not mapped, then check whether the
current_user_ns()->owner is mapped?

> The important behavior change is for sandboxes: many sandboxes
> intentionally do not create an inner uid 0.  Without this patch,
> mounting devpts in such a sandbox is awkward.  With this patch, it
> will just work and ptmx will be owned by the namespace owner.
> 
> Cc: Alexander Larsson <alexl@redhat.com>
> Cc: mclasen@redhat.com
> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: Linux Containers <containers@lists.linux-foundation.org>
> Signed-off-by: Andy Lutomirski <luto@kernel.org>
> ---
>  fs/devpts/inode.c | 34 ++++++++++++++++++++++++++++++----
>  1 file changed, 30 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
> index 655f21f99160..d6fa2d1beee3 100644
> --- a/fs/devpts/inode.c
> +++ b/fs/devpts/inode.c
> @@ -27,6 +27,7 @@
>  #include <linux/parser.h>
>  #include <linux/fsnotify.h>
>  #include <linux/seq_file.h>
> +#include <linux/user_namespace.h>
>  
>  #define DEVPTS_DEFAULT_MODE 0600
>  /*
> @@ -250,10 +251,35 @@ static int mknod_ptmx(struct super_block *sb)
>  	kuid_t root_uid;
>  	kgid_t root_gid;
>  
> -	root_uid = make_kuid(current_user_ns(), 0);
> -	root_gid = make_kgid(current_user_ns(), 0);
> -	if (!uid_valid(root_uid) || !gid_valid(root_gid))
> -		return -EINVAL;
> +	/*
> +	 * For a new devpts instance, ptmx is owned by the creating user
> +	 * namespace's owner.  Usually, that will be 0 as seen by the
> +	 * user namespace, but for unprivileged sandbox namespaces,
> +	 * there may not be a uid 0 or gid 0 at all.
> +	 */
> +	root_uid = current_user_ns()->owner;
> +	root_gid = current_user_ns()->group;
> +
> +	if (!uid_valid(root_uid) || !gid_valid(root_gid)) {
> +		/*
> +		 * It's very unlikely for us to get here if the userns
> +		 * owner is not mapped, but it's possible -- we'd have
> +		 * to be running in the userns with capabilities granted
> +		 * by unshare or setns, since there is no inner
> +		 * privileged user.  Nonetheless, this could happen, and
> +		 * we don't want ptmx to be owned by an unmapped user or
> +		 * group.
> +		 *
> +		 * If this happens fall back to historical behavior:
> +		 * try to have ptmx be owned by 0:0.
> +		 */
> +		root_uid = make_kuid(current_user_ns(), 0);
> +		root_gid = make_kgid(current_user_ns(), 0);
> +
> +		/* If this still doesn't work, give up. */
> +		if (!uid_valid(root_uid) || !gid_valid(root_gid))
> +			return -EINVAL;
> +	}
>  
>  	inode_lock(d_inode(root));
>  
> -- 
> 2.5.0
> 
> _______________________________________________
> Containers mailing list
> Containers@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Alexander Larsson March 14, 2016, 3:42 p.m. UTC | #2
On sön, 2016-03-13 at 22:06 -0700, Andy Lutomirski wrote:
> We used to have ptmx be owned by the inner uid and gid 0.  Change
> this: if the owner and group are both mapped but are not both 0,
> then use the owner instead.
> 
> For container-style namespaces (LXC, etc), this should have no
> effect -- UID 0 is will either be the owner or will be unmapped.
> 
> The important behavior change is for sandboxes: many sandboxes
> intentionally do not create an inner uid 0.  Without this patch,
> mounting devpts in such a sandbox is awkward.  With this patch, it
> will just work and ptmx will be owned by the namespace owner.
> 
> Cc: Alexander Larsson <alexl@redhat.com>
> Cc: mclasen@redhat.com
> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: Linux Containers <containers@lists.linux-foundation.org>
> Signed-off-by: Andy Lutomirski <luto@kernel.org>

Tested-by: Alexander Larsson <alexl@redhat.com>

Seems to work fine for me! Thanks!
Andy Lutomirski March 15, 2016, 6:21 p.m. UTC | #3
On Mar 14, 2016 1:35 AM, "Serge Hallyn" <serge.hallyn@ubuntu.com> wrote:
>
> Quoting Andy Lutomirski (luto@kernel.org):
> > We used to have ptmx be owned by the inner uid and gid 0.  Change
> > this: if the owner and group are both mapped but are not both 0,
> > then use the owner instead.
> >
> > For container-style namespaces (LXC, etc), this should have no
> > effect -- UID 0 is will either be the owner or will be unmapped.
>
> This doesn't seem right - it's often the case that the owner is mapped
> in as non-0 uid, safe or not.  The actual namespace root uid should be
> the owner (so long as it exists).
>
> Why not reverse the cases?  If 0 is not mapped, then check whether the
> current_user_ns()->owner is mapped?

Good point, and less chance of breakage that way as well.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 655f21f99160..d6fa2d1beee3 100644
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -27,6 +27,7 @@ 
 #include <linux/parser.h>
 #include <linux/fsnotify.h>
 #include <linux/seq_file.h>
+#include <linux/user_namespace.h>
 
 #define DEVPTS_DEFAULT_MODE 0600
 /*
@@ -250,10 +251,35 @@  static int mknod_ptmx(struct super_block *sb)
 	kuid_t root_uid;
 	kgid_t root_gid;
 
-	root_uid = make_kuid(current_user_ns(), 0);
-	root_gid = make_kgid(current_user_ns(), 0);
-	if (!uid_valid(root_uid) || !gid_valid(root_gid))
-		return -EINVAL;
+	/*
+	 * For a new devpts instance, ptmx is owned by the creating user
+	 * namespace's owner.  Usually, that will be 0 as seen by the
+	 * user namespace, but for unprivileged sandbox namespaces,
+	 * there may not be a uid 0 or gid 0 at all.
+	 */
+	root_uid = current_user_ns()->owner;
+	root_gid = current_user_ns()->group;
+
+	if (!uid_valid(root_uid) || !gid_valid(root_gid)) {
+		/*
+		 * It's very unlikely for us to get here if the userns
+		 * owner is not mapped, but it's possible -- we'd have
+		 * to be running in the userns with capabilities granted
+		 * by unshare or setns, since there is no inner
+		 * privileged user.  Nonetheless, this could happen, and
+		 * we don't want ptmx to be owned by an unmapped user or
+		 * group.
+		 *
+		 * If this happens fall back to historical behavior:
+		 * try to have ptmx be owned by 0:0.
+		 */
+		root_uid = make_kuid(current_user_ns(), 0);
+		root_gid = make_kgid(current_user_ns(), 0);
+
+		/* If this still doesn't work, give up. */
+		if (!uid_valid(root_uid) || !gid_valid(root_gid))
+			return -EINVAL;
+	}
 
 	inode_lock(d_inode(root));