CVE-2021-4197 patchset consists of: [1] 1756d7994ad8 ("cgroup: Use open-time credentials for process migraton perm checks") [2] 0d2b5955b362 ("cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv") [3] e57457641613 ("cgroup: Use open-time cgroup namespace for process migration perm checks") [4] b09c2baa5634 ("selftests: cgroup: Make cg_create() use 0755 for permission instead of 0644") [5] 613e040e4dc2 ("selftests: cgroup: Test open-time credential usage for migration checks") [6] bf35a7879f1d ("selftests: cgroup: Test open-time cgroup namespace usage for migration checks")
Commits [2] and [3] are already preent in 5.10-stable, this patchset includes backports for the other commits.
Backport summary ---------------- 1756d7994ad8 ("cgroup: Use open-time credentials for process migraton perm checks") * Refactoring commit da70862efe006 ("cgroup: cgroup.{procs,threads} factor out common parts") is not present in kernel versions < 5.12, so the original changes to __cgroup_procs_write() had to be applied in both cgroup_threads_write() and cgroup_procs_write() functions.
c2e46f6b3e35 ("selftests/cgroup: Fix build on older distros") * This extra commit was added to fix the following selftest build failure, applies cleanly: ... cgroup_util.c: In function ‘clone_into_cgroup’: group_util.c:343:4: error: ‘struct clone_args’ has no member named ‘cgroup’ 343 | .cgroup = cgroup_fd, | ^~~~~~
All other selftest changes are clean cherry-picks.
Testing ------- The newly introduced selftests (test_cgcore_lesser_euid_open() and test_cgcore_lesser_ns_open()) pass with this series applied:
root@intel-x86-64:~# ./test_core ok 1 test_cgcore_internal_process_constraint ok 2 test_cgcore_top_down_constraint_enable ok 3 test_cgcore_top_down_constraint_disable ok 4 test_cgcore_no_internal_process_constraint_os ok 5 test_cgcore_parent_becomes_threaded ok 6 test_cgcore_invalid_domain ok 7 test_cgcore_populated ok 8 test_cgcore_proc_migration ok 9 test_cgcore_thread_migration ok 10 test_cgcore_destroy ok 11 test_cgcore_lesser_euid_open ok 12 test_cgcore_lesser_ns_open
Sachin Sant (1): selftests/cgroup: Fix build on older distros
Tejun Heo (4): cgroup: Use open-time credentials for process migraton perm checks selftests: cgroup: Make cg_create() use 0755 for permission instead of 0644 selftests: cgroup: Test open-time credential usage for migration checks selftests: cgroup: Test open-time cgroup namespace usage for migration checks
kernel/cgroup/cgroup-v1.c | 7 +- kernel/cgroup/cgroup.c | 17 +- tools/testing/selftests/cgroup/cgroup_util.c | 6 +- tools/testing/selftests/cgroup/test_core.c | 165 +++++++++++++++++++ 4 files changed, 188 insertions(+), 7 deletions(-)