userns: Don't allow unprivileged creation of gid mappings
authorEric W. Biederman <ebiederm@xmission.com>
Sat, 6 Dec 2014 00:14:19 +0000 (18:14 -0600)
committerEric W. Biederman <ebiederm@xmission.com>
Tue, 9 Dec 2014 23:08:24 +0000 (17:08 -0600)
commitbe7c6dba2332cef0677fbabb606e279ae76652c3
tree52d7a02dc25a3c2ac64576a9288114d0741cc846
parent273d2c67c3e179adb1e74f403d1e9a06e3f841b5
userns: Don't allow unprivileged creation of gid mappings

As any gid mapping will allow and must allow for backwards
compatibility dropping groups don't allow any gid mappings to be
established without CAP_SETGID in the parent user namespace.

For a small class of applications this change breaks userspace
and removes useful functionality.  This small class of applications
includes tools/testing/selftests/mount/unprivilged-remount-test.c

Most of the removed functionality will be added back with the addition
of a one way knob to disable setgroups.  Once setgroups is disabled
setting the gid_map becomes as safe as setting the uid_map.

For more common applications that set the uid_map and the gid_map
with privilege this change will have no affect.

This is part of a fix for CVE-2014-8989.

Cc: stable@vger.kernel.org
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
kernel/user_namespace.c