diff options
| author | Eric W. Biederman | 2011-11-17 08:37:59 +0100 |
|---|---|---|
| committer | Eric W. Biederman | 2012-05-15 23:59:23 +0200 |
| commit | 9e4a36ece652908276bc4abb4324ec56292453e1 (patch) | |
| tree | ec267b9350f9e06aa510e35fbd6858ba3b9d602c /fs/exec.c | |
| parent | userns: Convert stat to return values mapped from kuids and kgids (diff) | |
| download | kernel-qcow2-linux-9e4a36ece652908276bc4abb4324ec56292453e1.tar.gz kernel-qcow2-linux-9e4a36ece652908276bc4abb4324ec56292453e1.tar.xz kernel-qcow2-linux-9e4a36ece652908276bc4abb4324ec56292453e1.zip | |
userns: Fail exec for suid and sgid binaries with ids outside our user namespace.
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'fs/exec.c')
| -rw-r--r-- | fs/exec.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/exec.c b/fs/exec.c index 00ae2ef100d8..e001bdfac530 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1291,8 +1291,11 @@ int prepare_binprm(struct linux_binprm *bprm) if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { /* Set-uid? */ if (mode & S_ISUID) { + if (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid)) + return -EPERM; bprm->per_clear |= PER_CLEAR_ON_SETID; bprm->cred->euid = inode->i_uid; + } /* Set-gid? */ @@ -1302,6 +1305,8 @@ int prepare_binprm(struct linux_binprm *bprm) * executable. */ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { + if (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) + return -EPERM; bprm->per_clear |= PER_CLEAR_ON_SETID; bprm->cred->egid = inode->i_gid; } |