userns: Ignore suid and sgid on binaries if the uid or gid can not be mapped (3cdf5b45) · Commits · 戴 / test

fs/exec.c

+3 −6

Original line number	Original line	Diff line number	Diff line
	@@ -1266,14 +1266,13 @@ int prepare_binprm(struct linux_binprm *bprm)
	bprm->cred->egid = current_egid();		bprm->cred->egid = current_egid();

	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&		if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
	!current->no_new_privs) {		!current->no_new_privs &&
			kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
			kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
	/* Set-uid? */		/* Set-uid? */
	if (mode & S_ISUID) {		if (mode & S_ISUID) {
	if (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid))
	return -EPERM;
	bprm->per_clear \|= PER_CLEAR_ON_SETID;		bprm->per_clear \|= PER_CLEAR_ON_SETID;
	bprm->cred->euid = inode->i_uid;		bprm->cred->euid = inode->i_uid;

	}		}

	/* Set-gid? */		/* Set-gid? */
	@@ -1283,8 +1282,6 @@ int prepare_binprm(struct linux_binprm *bprm)
	* executable.		* executable.
	*/		*/
	if ((mode & (S_ISGID \| S_IXGRP)) == (S_ISGID \| S_IXGRP)) {		if ((mode & (S_ISGID \| S_IXGRP)) == (S_ISGID \| S_IXGRP)) {
	if (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid))
	return -EPERM;
	bprm->per_clear \|= PER_CLEAR_ON_SETID;		bprm->per_clear \|= PER_CLEAR_ON_SETID;
	bprm->cred->egid = inode->i_gid;		bprm->cred->egid = inode->i_gid;
	}		}