Re: [PATCH 6/6] protect cap_netlink_recv from user namespaces

[Eric Paris]

On Fri, 2011-11-04 at 22:24 +0000, Serge Hallyn wrote:
> From: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>
> 
> cap_netlink_recv() was granting privilege if a capability is in
> current_cap(), regardless of the user namespace.  Fix that by
> targeting the capability check against the user namespace which
> owns the skb.
> 
> Caller passes the user ns down because sock_net is static inline defined in
> net/sock.h, which we'd rather not #include at the cap_netlink_recv function.

This is wrong at least in relation to audit.  I don't know the other
code well enough to know if I think it's ok there.  Lets say I have
(CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID) and I create a new task with
CLONE_NEWNAME.  This task then immediately does the needful to remove
all audit rules (which supposedly requires CAP_AUDIT_CONTROL).  That's
going to succeed because the task is init in it's namespace, aka:

        /* The creator of the user namespace has all caps. */
        if (targ_ns != &init_user_ns && targ_ns->creator == cred->user)
                return 0;

But it just screwed with a global resource.  aka audit.  I don't know
the meaning of these others, but it seems to me probably most or all of
them should be against the init_user_ns, not the namespace the skb came
from....

What am I missing?

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/