From patchwork Wed Sep 30 00:05:46 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dirk Steinmetz X-Patchwork-Id: 7291681 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id A0E3E9F1D5 for ; Wed, 30 Sep 2015 00:13:26 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B0FC32065F for ; Wed, 30 Sep 2015 00:13:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 422C420652 for ; Wed, 30 Sep 2015 00:13:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751501AbbI3ANX (ORCPT ); Tue, 29 Sep 2015 20:13:23 -0400 Received: from mxf912.netcup.net ([46.38.249.18]:43166 "EHLO mxf912.netcup.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751072AbbI3ANW (ORCPT ); Tue, 29 Sep 2015 20:13:22 -0400 X-Greylist: delayed 414 seconds by postgrey-1.27 at vger.kernel.org; Tue, 29 Sep 2015 20:13:22 EDT X-No-Relay: not in my network X-No-Relay: not in my network Received: from pc-dirk.ip (p5DD8C1F0.dip0.t-ipconnect.de [93.216.193.240]) by mxf912.netcup.net (Postfix) with ESMTPSA id A7A3920B79; Wed, 30 Sep 2015 02:06:25 +0200 (CEST) Date: Wed, 30 Sep 2015 02:05:46 +0200 From: Dirk Steinmetz To: Alexander Viro , linux-fsdevel@vger.kernel.org Subject: [PATCH] namei: permit linking with CAP_FOWNER in userns Message-ID: <20150930020546.48aeb78b@pc-dirk.ip> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu) MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00, FROM_DOMAIN_NOVOWEL, RCVD_IN_DNSWL_HI,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Attempting to hardlink to an unsafe file (e.g. a setuid binary) from within an unprivileged user namespace fails, even if CAP_FOWNER is held within the namespace. This may cause various failures, such as a gentoo installation within a lxc container failing to build and install specific packages. This change permits hardlinking of files owned by mapped uids, if CAP_FOWNER is held for that namespace. Furthermore, it improves consistency by using the existing inode_owner_or_capable(), which is aware of namespaced capabilities as of 23adbe12ef7d3 ("fs,userns: Change inode_capable to capable_wrt_inode_uidgid"). Signed-off-by: Dirk Steinmetz --- fs/namei.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 726d211..29fc6a6 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -955,26 +955,23 @@ static bool safe_hardlink_source(struct inode *inode) * - sysctl_protected_hardlinks enabled * - fsuid does not match inode * - hardlink source is unsafe (see safe_hardlink_source() above) - * - not CAP_FOWNER + * - not CAP_FOWNER in a namespace with the inode owner uid mapped * * Returns 0 if successful, -ve on error. */ static int may_linkat(struct path *link) { - const struct cred *cred; struct inode *inode; if (!sysctl_protected_hardlinks) return 0; - cred = current_cred(); inode = link->dentry->d_inode; /* Source inode owner (or CAP_FOWNER) can hardlink all they like, * otherwise, it must be a safe source. */ - if (uid_eq(cred->fsuid, inode->i_uid) || safe_hardlink_source(inode) || - capable(CAP_FOWNER)) + if (inode_owner_or_capable(inode) || safe_hardlink_source(inode)) return 0; audit_log_link_denied("linkat", link);