Commit 6b6c3fb5 authored Jan 17, 2022 by Tejun Heo Committed by Yang Yingliang Jan 17, 2022

cgroup: Use open-time cgroup namespace for process migration perm checks

mainline inclusion
from mainline-v5.16
commit e5745764
category: bugfix
bugzilla: NA
CVE: CVE-2021-4197

------------------------------------------------------------------------

cgroup process migration permission checks are performed at write time as
whether a given operation is allowed or not is dependent on the content of
the write - the PID. This currently uses current's cgroup namespace which is
a potential security weakness as it may allow scenarios where a less
privileged process tricks a more privileged one into writing into a fd that
it created.

This patch makes cgroup remember the cgroup namespace at the time of open
and uses it for migration permission checks instad of current's. Note that
this only applies to cgroup2 as cgroup1 doesn't have namespace support.

This also fixes a use-after-free bug on cgroupns reported in

 https://lore.kernel.org/r/00000000000048c15c05d0083397@google.com



Note that backporting this fix also requires the preceding patch.

Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
Cc: Michal Koutný <mkoutny@suse.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Reported-by:  <syzbot+50f5cf33a284ce738b62@syzkaller.appspotmail.com>
Link: https://lore.kernel.org/r/00000000000048c15c05d0083397@google.com


Fixes: 5136f636 ("cgroup: implement "nsdelegate" mount option")
Signed-off-by: Tejun Heo <tj@kernel.org>
Conflicts:
	kernel/cgroup/cgroup-internal.h
	kernel/cgroup/cgroup.c
Signed-off-by: Lu Jialin <lujialin4@huawei.com>
Reviewed-by: weiyang wang <wangweiyang2@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>

parent 75acfe71

Show whitespace changes

Inline Side-by-side

Please to comment