Commit 8deb6634 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Luis Henriques

userns: Allow setting gid_maps without privilege when setgroups is disabled

commit 66d2f338 upstream.

Now that setgroups can be disabled and not reenabled, setting gid_map
without privielge can now be enabled when setgroups is disabled.

This restores most of the functionality that was lost when unprivileged
setting of gid_map was removed.  Applications that use this functionality
will need to check to see if they use setgroups or init_groups, and if they
don't they can be fixed by simply disabling setgroups before writing to
gid_map.
Reviewed-by: default avatarAndy Lutomirski <luto@amacapital.net>
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent b3993755
...@@ -826,6 +826,11 @@ static bool new_idmap_permitted(const struct file *file, ...@@ -826,6 +826,11 @@ static bool new_idmap_permitted(const struct file *file,
kuid_t uid = make_kuid(ns->parent, id); kuid_t uid = make_kuid(ns->parent, id);
if (uid_eq(uid, cred->euid)) if (uid_eq(uid, cred->euid))
return true; return true;
} else if (cap_setid == CAP_SETGID) {
kgid_t gid = make_kgid(ns->parent, id);
if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
gid_eq(gid, cred->egid))
return true;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment