userns: Fail exec for suid and sgid binaries with ids outside our user namespace.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2011-11-17 08:37:59 +0100
committer: Eric W. Biederman <ebiederm@xmission.com> 2012-05-15 23:59:23 +0200
commit: 9e4a36ece652908276bc4abb4324ec56292453e1 (patch)
tree: ec267b9350f9e06aa510e35fbd6858ba3b9d602c /fs/exec.c
parent: userns: Convert stat to return values mapped from kuids and kgids (diff)
download: linux-9e4a36ece652908276bc4abb4324ec56292453e1.tar.xz
linux-9e4a36ece652908276bc4abb4324ec56292453e1.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 00ae2ef100d8..e001bdfac530 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1291,8 +1291,11 @@ int prepare_binprm(struct linux_binprm *bprm)
 	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
 		/* Set-uid? */
 		if (mode & S_ISUID) {
+			if (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid))
+				return -EPERM;
 			bprm->per_clear |= PER_CLEAR_ON_SETID;
 			bprm->cred->euid = inode->i_uid;
+
 		}
 
 		/* Set-gid? */
@@ -1302,6 +1305,8 @@ int prepare_binprm(struct linux_binprm *bprm)
 		 * executable.
 		 */
 		if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+			if (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid))
+				return -EPERM;
 			bprm->per_clear |= PER_CLEAR_ON_SETID;
 			bprm->cred->egid = inode->i_gid;
 		}
author	Eric W. Biederman <ebiederm@xmission.com>	2011-11-17 08:37:59 +0100
committer	Eric W. Biederman <ebiederm@xmission.com>	2012-05-15 23:59:23 +0200
commit	9e4a36ece652908276bc4abb4324ec56292453e1 (patch)
tree	ec267b9350f9e06aa510e35fbd6858ba3b9d602c /fs/exec.c
parent	userns: Convert stat to return values mapped from kuids and kgids (diff)
download	linux-9e4a36ece652908276bc4abb4324ec56292453e1.tar.xz linux-9e4a36ece652908276bc4abb4324ec56292453e1.zip