From: "Eric W. Biederman" ebiederm@xmission.com
The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilities. Therefore require capabilities when setting the release_agaent.
[ Upstream commit 24f6008564183aa120d07c03d9289519c2fe02af ]
Reported-by: Tabitha Sable tabitha.c.sable@gmail.com Tested-by: Tabitha Sable tabitha.c.sable@gmail.com Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") Cc: stable@vger.kernel.org # v2.6.24+ Signed-off-by: "Eric W. Biederman" ebiederm@xmission.com Signed-off-by: Tejun Heo tj@kernel.org [mkoutny: Adjust for pre-fs_context, duplicate mount/remount check, drop log messages.] Acked-by: Michal Koutný mkoutny@suse.com ---
Hello, FWIW, I'm sharing v4.12 backport of the aforementioned patch (v4.12 is not actual stable but someone may find it useful).
Michal
kernel/cgroup/cgroup-v1.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+)
--- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -531,6 +531,14 @@ static ssize_t cgroup_release_agent_writ
BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+ /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if ((of->file->f_cred->user_ns != &init_user_ns) || + !capable(CAP_SYS_ADMIN)) + return -EPERM; + cgrp = cgroup_kn_lock_live(of->kn, false); if (!cgrp) return -ENODEV; @@ -1004,6 +1012,7 @@ static int cgroup1_remount(struct kernfs { int ret = 0; struct cgroup_root *root = cgroup_root_from_kf(kf_root); + struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; struct cgroup_sb_opts opts; u16 added_mask, removed_mask;
@@ -1017,6 +1026,12 @@ static int cgroup1_remount(struct kernfs if (opts.subsys_mask != root->subsys_mask || opts.release_agent) pr_warn("option changes via remount are deprecated (pid=%d comm=%s)\n", task_tgid_nr(current), current->comm); + /* See cgroup1_mount release_agent handling */ + if (opts.release_agent && + ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) { + ret = -EINVAL; + goto out_unlock; + }
added_mask = opts.subsys_mask & ~root->subsys_mask; removed_mask = root->subsys_mask & ~opts.subsys_mask; @@ -1180,6 +1195,15 @@ struct dentry *cgroup1_mount(struct file ret = -EPERM; goto out_unlock; } + /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if (opts.release_agent && + ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) { + ret = -EINVAL; + goto out_unlock; + }
root = kzalloc(sizeof(*root), GFP_KERNEL); if (!root) {
On Tue, Feb 08, 2022 at 07:24:02PM +0100, Michal Koutný wrote:
From: "Eric W. Biederman" ebiederm@xmission.com
The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilities. Therefore require capabilities when setting the release_agaent.
[ Upstream commit 24f6008564183aa120d07c03d9289519c2fe02af ]
Reported-by: Tabitha Sable tabitha.c.sable@gmail.com Tested-by: Tabitha Sable tabitha.c.sable@gmail.com Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") Cc: stable@vger.kernel.org # v2.6.24+ Signed-off-by: "Eric W. Biederman" ebiederm@xmission.com Signed-off-by: Tejun Heo tj@kernel.org [mkoutny: Adjust for pre-fs_context, duplicate mount/remount check, drop log messages.] Acked-by: Michal Koutný mkoutny@suse.com
Hello, FWIW, I'm sharing v4.12 backport of the aforementioned patch (v4.12 is not actual stable but someone may find it useful).
What about 4.19 and 4.14 versions? Those would be useful :)
thanks,
greg k-h
On Wed, Feb 09, 2022 at 06:53:32AM +0100, Greg KH wrote:
On Tue, Feb 08, 2022 at 07:24:02PM +0100, Michal Koutný wrote:
From: "Eric W. Biederman" ebiederm@xmission.com
The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilities. Therefore require capabilities when setting the release_agaent.
[ Upstream commit 24f6008564183aa120d07c03d9289519c2fe02af ]
Reported-by: Tabitha Sable tabitha.c.sable@gmail.com Tested-by: Tabitha Sable tabitha.c.sable@gmail.com Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") Cc: stable@vger.kernel.org # v2.6.24+ Signed-off-by: "Eric W. Biederman" ebiederm@xmission.com Signed-off-by: Tejun Heo tj@kernel.org [mkoutny: Adjust for pre-fs_context, duplicate mount/remount check, drop log messages.] Acked-by: Michal Koutný mkoutny@suse.com
Hello, FWIW, I'm sharing v4.12 backport of the aforementioned patch (v4.12 is not actual stable but someone may find it useful).
What about 4.19 and 4.14 versions? Those would be useful :)
Ah, it looks like it works there, many thanks for this!
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Michal Koutný