CVE-2021-4197 patchset consists of: [1] 1756d7994ad8 ("cgroup: Use open-time credentials for process migraton perm checks") [2] 0d2b5955b362 ("cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv") [3] e57457641613 ("cgroup: Use open-time cgroup namespace for process migration perm checks") [4] b09c2baa5634 ("selftests: cgroup: Make cg_create() use 0755 for permission instead of 0644") [5] 613e040e4dc2 ("selftests: cgroup: Test open-time credential usage for migration checks") [6] bf35a7879f1d ("selftests: cgroup: Test open-time cgroup namespace usage for migration checks")
Commits [1], [2] and [3] are already present in 5.15-stable, this patchset includes backports for the selftests. All patches are clean cherry-picks.
The newly introduced selftests (test_cgcore_lesser_euid_open() and test_cgcore_lesser_ns_open()) pass with this series applied:
root@intel-x86-64:~# ./test_core ok 1 test_cgcore_internal_process_constraint ok 2 test_cgcore_top_down_constraint_enable ok 3 test_cgcore_top_down_constraint_disable ok 4 test_cgcore_no_internal_process_constraint_os ok 5 test_cgcore_parent_becomes_threaded ok 6 test_cgcore_invalid_domain ok 7 test_cgcore_populated ok 8 test_cgcore_proc_migration ok 9 test_cgcore_thread_migration ok 10 test_cgcore_destroy ok 11 test_cgcore_lesser_euid_open ok 12 test_cgcore_lesser_ns_open
Tejun Heo (3): selftests: cgroup: Make cg_create() use 0755 for permission instead of 0644 selftests: cgroup: Test open-time credential usage for migration checks selftests: cgroup: Test open-time cgroup namespace usage for migration checks
tools/testing/selftests/cgroup/cgroup_util.c | 2 +- tools/testing/selftests/cgroup/test_core.c | 165 +++++++++++++++++++ 2 files changed, 166 insertions(+), 1 deletion(-)