[CRIU] [PATCHv2] files-reg: restore PR_SET_DUMPABLE flag after setfsuid
Andrew Vagin
avagin at virtuozzo.com
Fri Dec 18 08:05:31 PST 2015
On Fri, Dec 18, 2015 at 06:33:41PM +0300, Dmitry Safonov wrote:
> Restore dumpable flag after setfsuid to assure that created /proc/self/*
> file inode had task's credentials. Without it it would have root creds
> and trying to access proc files of task will fail from non-root user
> in generic vfs permission check.
>
> Signed-off-by: Dmitry Safonov <dsafonov at odin.com>
> ---
> files-reg.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/files-reg.c b/files-reg.c
> index 425dc04..8a2a5fd 100644
> --- a/files-reg.c
> +++ b/files-reg.c
> @@ -1091,13 +1091,22 @@ static int linkat_hard(int odir, char *opath, int ndir, char *npath, uid_t owner
>
> if (root_ns_mask & CLONE_NEWUSER) {
> setfsuid(old_fsuid);
> - if (setfsuid(-1) != old_fsuid)
> + if (setfsuid(-1) != old_fsuid) {
> pr_warn("Failed to restore old fsuid!\n");
> /*
> * Don't fail here. We still have chances to run till
> * the pie/restorer, and if _this_ guy fails to set
> * the proper fsuid, then we'll abort the restore.
> */
> + }
> +
> + /*
> + * Restoring PR_SET_DUMPABLE flag is required after setfsuid,
> + * as if it not set, proc inode will be created with root cred
> + * (see proc_pid_make_inode), which will result in permission
> + * check fail when trying to access files in /proc/self/
> + */
> + prctl(PR_SET_DUMPABLE, 1, 0);
Acked-by: Andrew Vagin <avagin at virtuozzo.com>
> }
> errno = errno_save;
>
> --
> 2.6.3
>
More information about the CRIU
mailing list