From: Greg Kroah-Hartman Date: Wed, 4 Jan 2017 10:34:58 +0000 (+0100) Subject: remove 1 broken 4.4 patch X-Git-Tag: v4.9.1~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c737b8a89d5e052223fed31121831b61eb931354;p=thirdparty%2Fkernel%2Fstable-queue.git remove 1 broken 4.4 patch --- diff --git a/queue-4.4/exec-ensure-mm-user_ns-contains-the-execed-files.patch b/queue-4.4/exec-ensure-mm-user_ns-contains-the-execed-files.patch deleted file mode 100644 index 0dbacf6f9af..00000000000 --- a/queue-4.4/exec-ensure-mm-user_ns-contains-the-execed-files.patch +++ /dev/null @@ -1,117 +0,0 @@ -From f84df2a6f268de584a201e8911384a2d244876e3 Mon Sep 17 00:00:00 2001 -From: "Eric W. Biederman" -Date: Wed, 16 Nov 2016 22:06:51 -0600 -Subject: exec: Ensure mm->user_ns contains the execed files - -From: Eric W. Biederman - -commit f84df2a6f268de584a201e8911384a2d244876e3 upstream. - -When the user namespace support was merged the need to prevent -ptrace from revealing the contents of an unreadable executable -was overlooked. - -Correct this oversight by ensuring that the executed file -or files are in mm->user_ns, by adjusting mm->user_ns. - -Use the new function privileged_wrt_inode_uidgid to see if -the executable is a member of the user namespace, and as such -if having CAP_SYS_PTRACE in the user namespace should allow -tracing the executable. If not update mm->user_ns to -the parent user namespace until an appropriate parent is found. - -Reported-by: Jann Horn -Fixes: 9e4a36ece652 ("userns: Fail exec for suid and sgid binaries with ids outside our user namespace.") -Signed-off-by: "Eric W. Biederman" -Signed-off-by: Greg Kroah-Hartman - ---- - fs/exec.c | 19 +++++++++++++++++-- - include/linux/capability.h | 1 + - kernel/capability.c | 16 ++++++++++++++-- - 3 files changed, 32 insertions(+), 4 deletions(-) - ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -1123,8 +1123,22 @@ EXPORT_SYMBOL(flush_old_exec); - - void would_dump(struct linux_binprm *bprm, struct file *file) - { -- if (inode_permission(file_inode(file), MAY_READ) < 0) -+ struct inode *inode = file_inode(file); -+ if (inode_permission(inode, MAY_READ) < 0) { -+ struct user_namespace *old, *user_ns; - bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; -+ -+ /* Ensure mm->user_ns contains the executable */ -+ user_ns = old = bprm->mm->user_ns; -+ while ((user_ns != &init_user_ns) && -+ !privileged_wrt_inode_uidgid(user_ns, inode)) -+ user_ns = user_ns->parent; -+ -+ if (old != user_ns) { -+ bprm->mm->user_ns = get_user_ns(user_ns); -+ put_user_ns(old); -+ } -+ } - } - EXPORT_SYMBOL(would_dump); - -@@ -1154,7 +1168,6 @@ void setup_new_exec(struct linux_binprm - !gid_eq(bprm->cred->gid, current_egid())) { - current->pdeath_signal = 0; - } else { -- would_dump(bprm, bprm->file); - if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP) - set_dumpable(current->mm, suid_dumpable); - } -@@ -1587,6 +1600,8 @@ static int do_execveat_common(int fd, st - if (retval < 0) - goto out; - -+ would_dump(bprm, bprm->file); -+ - retval = exec_binprm(bprm); - if (retval < 0) - goto out; ---- a/include/linux/capability.h -+++ b/include/linux/capability.h -@@ -247,6 +247,7 @@ static inline bool ns_capable_noaudit(st - return true; - } - #endif /* CONFIG_MULTIUSER */ -+extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode); - extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); - extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); - ---- a/kernel/capability.c -+++ b/kernel/capability.c -@@ -457,6 +457,19 @@ bool file_ns_capable(const struct file * - EXPORT_SYMBOL(file_ns_capable); - - /** -+ * privileged_wrt_inode_uidgid - Do capabilities in the namespace work over the inode? -+ * @ns: The user namespace in question -+ * @inode: The inode in question -+ * -+ * Return true if the inode uid and gid are within the namespace. -+ */ -+bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode) -+{ -+ return kuid_has_mapping(ns, inode->i_uid) && -+ kgid_has_mapping(ns, inode->i_gid); -+} -+ -+/** - * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped - * @inode: The inode in question - * @cap: The capability in question -@@ -469,7 +482,6 @@ bool capable_wrt_inode_uidgid(const stru - { - struct user_namespace *ns = current_user_ns(); - -- return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) && -- kgid_has_mapping(ns, inode->i_gid); -+ return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode); - } - EXPORT_SYMBOL(capable_wrt_inode_uidgid); diff --git a/queue-4.4/fs-exec-apply-cloexec-before-changing-dumpable-task-flags.patch b/queue-4.4/fs-exec-apply-cloexec-before-changing-dumpable-task-flags.patch index a100826d531..e67e85281ec 100644 --- a/queue-4.4/fs-exec-apply-cloexec-before-changing-dumpable-task-flags.patch +++ b/queue-4.4/fs-exec-apply-cloexec-before-changing-dumpable-task-flags.patch @@ -35,6 +35,7 @@ against access of CLOEXEC file descriptors -- file descriptors which may reference filesystem objects the container shouldn't have access to). Cc: dev@opencontainers.org +Cc: # v3.2+ Reported-by: Michael Crosby Signed-off-by: Aleksa Sarai Signed-off-by: Al Viro @@ -69,7 +70,7 @@ Signed-off-by: Greg Kroah-Hartman return 0; out: -@@ -1176,7 +1183,6 @@ void setup_new_exec(struct linux_binprm +@@ -1163,7 +1170,6 @@ void setup_new_exec(struct linux_binprm group */ current->self_exec_id++; flush_signal_handlers(current, 0); diff --git a/queue-4.4/ptrace-capture-the-ptracer-s-creds-not-pt_ptrace_cap.patch b/queue-4.4/ptrace-capture-the-ptracer-s-creds-not-pt_ptrace_cap.patch index 7d3687415bc..384b9d2ae98 100644 --- a/queue-4.4/ptrace-capture-the-ptracer-s-creds-not-pt_ptrace_cap.patch +++ b/queue-4.4/ptrace-capture-the-ptracer-s-creds-not-pt_ptrace_cap.patch @@ -40,7 +40,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/fs/exec.c +++ b/fs/exec.c -@@ -1273,7 +1273,7 @@ static void check_unsafe_exec(struct lin +@@ -1254,7 +1254,7 @@ static void check_unsafe_exec(struct lin unsigned n_fs; if (p->ptrace) { @@ -51,8 +51,8 @@ Signed-off-by: Greg Kroah-Hartman bprm->unsafe |= LSM_UNSAFE_PTRACE; --- a/include/linux/capability.h +++ b/include/linux/capability.h -@@ -250,6 +250,7 @@ static inline bool ns_capable_noaudit(st - extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode); +@@ -249,6 +249,7 @@ static inline bool ns_capable_noaudit(st + #endif /* CONFIG_MULTIUSER */ extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); +extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns); @@ -81,8 +81,8 @@ Signed-off-by: Greg Kroah-Hartman const struct cred __rcu *cred; /* effective (overridable) subjective task --- a/kernel/capability.c +++ b/kernel/capability.c -@@ -485,3 +485,23 @@ bool capable_wrt_inode_uidgid(const stru - return ns_capable(ns, cap) && privileged_wrt_inode_uidgid(ns, inode); +@@ -473,3 +473,23 @@ bool capable_wrt_inode_uidgid(const stru + kgid_has_mapping(ns, inode->i_gid); } EXPORT_SYMBOL(capable_wrt_inode_uidgid); + diff --git a/queue-4.4/series b/queue-4.4/series index f10b3234d47..62a75f84056 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -25,8 +25,6 @@ btrfs-don-t-leak-reloc-root-nodes-on-error.patch btrfs-fix-memory-leak-in-do_walk_down.patch btrfs-don-t-bug-during-drop-snapshot.patch btrfs-make-file-clone-aware-of-fatal-signals.patch -exec-ensure-mm-user_ns-contains-the-execed-files.patch -fs-exec-apply-cloexec-before-changing-dumpable-task-flags.patch block_dev-don-t-test-bdev-bd_contains-when-it-is-not-stable.patch mm-add-a-user_ns-owner-to-mm_struct-and-fix-ptrace-permission-checks.patch ptrace-capture-the-ptracer-s-creds-not-pt_ptrace_cap.patch @@ -42,3 +40,4 @@ ext4-do-not-perform-data-journaling-when-data-is-encrypted.patch f2fs-set-owner-for-debugfs-status-file-s-file_operations.patch loop-return-proper-error-from-loop_queue_rq.patch mm-vmscan.c-set-correct-defer-count-for-shrinker.patch +fs-exec-apply-cloexec-before-changing-dumpable-task-flags.patch