new mode 'shadow' for /proc/PID/setgroups
From: | Giuseppe Scrivano <gscrivan-AT-redhat.com> | |
To: | linux-kernel-AT-vger.kernel.org | |
Subject: | [RFC PATCH 0/3] new mode 'shadow' for /proc/PID/setgroups | |
Date: | Mon, 10 May 2021 15:00:08 +0200 | |
Message-ID: | <20210510130011.1441834-1-gscrivan@redhat.com> | |
Cc: | serge-AT-hallyn.com, dwalsh-AT-redhat.com, christian.brauner-AT-ubuntu.com, ebiederm-AT-xmission.com | |
Archive-link: | Article |
This series is based on some old patches I've been playing with some years ago, but they were never sent to lkml as I was not sure about their complexity/usefulness ratio. It was recently reported by another user that these patches are still useful[1] so I am submitting the last version and see what other folks think about this feature. Since the fix for CVE-2014-8989 in order to set a gids mapping for a user namespace when the user namespace owner doesn't have CAP_SETGID in its parent, it is necessary to first disable setgroups(2) through /proc/PID/setgroups. Setting up a user namespace with multiple IDs mapped into is usually done through the privileged helpers newuidmap/newgidmap. Since these helpers run either as setuid or with CAP_SET[U,G]ID file capabilities, it is not necessary to disable setgroups(2) in the created user namespace. The user running in the user namespace can use setgroups(2) and drop the additional groups that it had initially. This is still an issue on systems where negative groups ACLs, i.e. the group permissions are more restrictive than the entry for the other categories, are used. With such configuration, allowing setgroups(2) would cause the same security vulnerability described by CVE-2014-8989. This patchset adds a new 'shadow' mode for the /proc/PID/setgroups file. It permits to safely enable setgroups also when negative groups ACLs are used. When the 'shadow' mode is written to /proc/PID/setgroups, the current process groups are stored into the user namespace and they will be silently added on each setgroups(2) call. A child user namespace won't be able to drop these groups anymore. To fully take advantage of this feature, newgidmap will also need to learn about the 'shadow' mode. An idea is that when the system or the user are using negative groups ACLs, then newgidmap needs to check that /proc/PID/setgroups is set to 'deny' or 'shadow' before allowing a mapping. The configuration for negative groups ACLs can either be a system wide or per user setting. [1] https://lore.kernel.org/lkml/20210507133703.GB22450@mail.... Giuseppe Scrivano (3): setgroups: new mode 'shadow' for /proc/PID/setgroups getgroups: hide unknown groups proc: hide unknown groups in status fs/proc/array.c | 12 +++- include/linux/cred.h | 4 +- include/linux/user_namespace.h | 11 +++- kernel/groups.c | 100 +++++++++++++++++++++------------ kernel/uid16.c | 90 ++++++++++++++++++----------- kernel/user_namespace.c | 34 +++++++++-- 6 files changed, 169 insertions(+), 82 deletions(-) -- 2.31.1