summaryrefslogtreecommitdiffstats
path: root/kernel/bpf
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2014-11-26 23:22:14 -0600
committerEric W. Biederman <ebiederm@xmission.com>2014-12-09 17:08:32 -0600
commitf95d7918bd1e724675de4940039f2865e5eec5fe (patch)
treedf6e44746ff643f6f70773dfb1783d9ea7b729bf /kernel/bpf
parent80dd00a23784b384ccea049bfb3f259d3f973b9d (diff)
downloadop-kernel-dev-f95d7918bd1e724675de4940039f2865e5eec5fe.zip
op-kernel-dev-f95d7918bd1e724675de4940039f2865e5eec5fe.tar.gz
userns: Only allow the creator of the userns unprivileged mappings
If you did not create the user namespace and are allowed to write to uid_map or gid_map you should already have the necessary privilege in the parent user namespace to establish any mapping you want so this will not affect userspace in practice. Limiting unprivileged uid mapping establishment to the creator of the user namespace makes it easier to verify all credentials obtained with the uid mapping can be obtained without the uid mapping without privilege. Limiting unprivileged gid mapping establishment (which is temporarily absent) to the creator of the user namespace also ensures that the combination of uid and gid can already be obtained without privilege. This is part of the fix for CVE-2014-8989. Cc: stable@vger.kernel.org Reviewed-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'kernel/bpf')
0 files changed, 0 insertions, 0 deletions
OpenPOWER on IntegriCloud