[CRIU] [PATCH 1/2] security: set fs gid to 0 and check img ids and mode when reading
Pavel Emelyanov
xemul at parallels.com
Mon Sep 15 07:19:15 PDT 2014
On 09/15/2014 09:50 AM, Ruslan Kuprieiev wrote:
> +bool check_file_ids(int fd)
> +{
> + struct stat st;
> + char buf[10];
> +
> + if (cr_uid == 0 && cr_gid == 0)
> + return true;
If current is root, everything is allowed.
ACK
Otherwise...
> +
> + if (fstat(fd, &st)) {
> + pr_perror("Can't stat file");
> + return false;
> + }
> +
> + if (!(st.st_mode & CR_FD_PERM)) {
If image file's permission miss _all_ bits from CR_FD_PERM mask -- don't allow
even to open it.
This looks wrong. What if st_mode is rw--w--w-? Then anyone can modify images,
but user will still be able to restore from them :)
> + pr_err("File mode %s != %s\n", mode_str(buf, st.st_mode), mode_str(buf, CR_FD_PERM));
> + return false;
> + }
> +
> + if (st.st_uid != 0 || st.st_gid != 0) {
Images belonging to non-root are prohibited. This is also strange. The intention
was -- r/o images belonging to root are allowed for restore w/o restrictions. Images
belonging to user, or others-writable root images are allowed for restore only if
they result in tasks belonging to the user, that calls the restore.
> + pr_err("File uid/gid (%d,%d) != (0,0)\n", st.st_uid, st.st_gid);
> + return false;
> + }
> +
> + return true;
> +}
>
More information about the CRIU
mailing list