[CRIU] [PATCH] security: check additional gids
Pavel Emelyanov
xemul at parallels.com
Tue Jun 24 05:13:28 PDT 2014
On 06/23/2014 11:04 AM, Ruslan Kuprieiev wrote:
> Currently, we only check if process gids match primary gid of user.
> But user may have some additional groups. So lets check them too.
I believe you inverted this in the patch. We should check for additional
groups from image to be accessible by the caller, shouldn't we?
> Signed-off-by: Ruslan Kuprieiev <kupruser at gmail.com>
> ---
> cr-service.c | 3 ++-
> crtools.c | 3 ++-
> include/crtools.h | 2 +-
> security.c | 74
> +++++++++++++++++++++++++++++++++++++++++++++++--------
> 4 files changed, 69 insertions(+), 13 deletions(-)
>
> -void restrict_uid(unsigned int uid, unsigned int gid)
> +int restrict_uid(unsigned int uid, unsigned int gid)
> {
> + struct passwd *pwd;
> +
> pr_info("Restrict C/R with %u:%u uid\n", uid, gid);
> cr_uid = uid;
> - cr_gid = gid;
> +
> + pwd = getpwuid(uid);
> + if (!pwd) {
> + pr_perror("Can't get user name");
> + return -1;
> + }
> +
> + cr_gids_num = NGROUPS_MAX;
> + if (getgrouplist(pwd->pw_name, gid, cr_gids, &cr_gids_num) < 0) {
These two reveal non run-time information about the caller, unlike
the rest of security code that work on the actual info.
> + pr_perror("Can't get group list of the user");
> + return -1;
> + }
> +
> + return 0;
> }
More information about the CRIU
mailing list