New upstream version 4.7upstream/4.7

1 files changed, 57 insertions, 2 deletions

diff --git a/libmisc/idmapping.c b/libmisc/idmapping.c
index 20f2d9c7..aea94936 100644
--- a/libmisc/idmapping.c
+++ b/libmisc/idmapping.c
@@ -36,6 +36,10 @@
 #include <stdio.h>
 #include "prototypes.h"
 #include "idmapping.h"
+#include <sys/prctl.h>
+#if HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#endif
 
 struct map_range *get_map_ranges(int ranges, int argc, char **argv)
 {
@@ -119,9 +123,23 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
  */
 #define ULONG_DIGITS ((((sizeof(unsigned long) * CHAR_BIT) + 9)/10)*3)
 
-
+/*
+ * The ruid refers to the caller's uid and is used to reset the effective uid
+ * back to the callers real uid.
+ * This clutch mainly exists for setuid-based new{g,u}idmap binaries that are
+ * called in contexts where all capabilities other than the necessary
+ * CAP_SET{G,U}ID capabilities are dropped. Since the kernel will require
+ * assurance that the caller holds CAP_SYS_ADMIN over the target user namespace
+ * the only way it can confirm is in this case is if the effective uid is
+ * equivalent to the uid owning the target user namespace.
+ * Note, we only support this when a) new{g,u}idmap is not called by root and
+ * b) if the caller's uid and the uid retrieved via system appropriate means
+ * (shadow file or other) are identical. Specifically, this does not support
+ * when the root user calls the new{g,u}idmap binary for an unprivileged user.
+ * If this is wanted: use file capabilities!
+ */
 void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
-	const char *map_file)
+	const char *map_file, uid_t ruid)
 {
 	int idx;
 	struct map_range *mapping;
@@ -129,6 +147,43 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
 	char *buf, *pos;
 	int fd;
 
+#if HAVE_SYS_CAPABILITY_H
+	int cap;
+	struct __user_cap_header_struct hdr = {_LINUX_CAPABILITY_VERSION_3, 0};
+	struct __user_cap_data_struct data[2] = {{0}};
+
+	if (strcmp(map_file, "uid_map") == 0) {
+		cap = CAP_SETUID;
+	} else if (strcmp(map_file, "gid_map") == 0) {
+		cap = CAP_SETGID;
+	} else {
+		fprintf(stderr, _("%s: Invalid map file %s specified\n"), Prog, map_file);
+		exit(EXIT_FAILURE);
+	}
+
+	/* Align setuid- and fscaps-based new{g,u}idmap behavior. */
+	if (geteuid() == 0 && geteuid() != ruid) {
+		if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
+			fprintf(stderr, _("%s: Could not prctl(PR_SET_KEEPCAPS)\n"), Prog);
+			exit(EXIT_FAILURE);
+		}
+
+		if (seteuid(ruid) < 0) {
+			fprintf(stderr, _("%s: Could not seteuid to %d\n"), Prog, ruid);
+			exit(EXIT_FAILURE);
+		}
+	}
+
+	/* Lockdown new{g,u}idmap by dropping all unneeded capabilities. */
+	memset(data, 0, sizeof(data));
+	data[0].effective = CAP_TO_MASK(cap);
+	data[0].permitted = data[0].effective;
+	if (capset(&hdr, data) < 0) {
+		fprintf(stderr, _("%s: Could not set caps\n"), Prog);
+		exit(EXIT_FAILURE);
+	}
+#endif
+
 	bufsize = ranges * ((ULONG_DIGITS  + 1) * 3);
 	pos = buf = xmalloc(bufsize);