[PATCH Quantal CVE] userns: Changing any namespace id mappings should require privileges

[Steve Conklin]

From: Andy Lutomirski <luto at amacapital.net>

CVE-2013-1979

commit 41c21e351e79004dbb4efa4bc14a53a7e0af38c5 upstream.

Changing uid/gid/projid mappings doesn't change your id within the
namespace; it reconfigures the namespace.  Unprivileged programs should
*not* be able to write these files.  (We're also checking the privileges
on the wrong task.)

Given the write-once nature of these files and the other security
checks, this is likely impossible to usefully exploit.

Signed-off-by: Andy Lutomirski <luto at amacapital.net>
Signed-off-by: Steve Conklin <sconklin at canonical.com>
---
 kernel/user_namespace.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 8660231..34e91b3 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -431,10 +431,10 @@ static ssize_t map_write(struct file *file, const char __user *buf,
 	if (map->nr_extents != 0)
 		goto out;
 
-	/* Require the appropriate privilege CAP_SETUID or CAP_SETGID
-	 * over the user namespace in order to set the id mapping.
+	/*
+	 * Adjusting namespace settings requires capabilities on the target.
 	 */
-	if (!ns_capable(ns, cap_setid))
+	if (!file_ns_capable(file, ns, CAP_SYS_ADMIN))
 		goto out;
 
 	/* Get a buffer */
-- 
1.7.9.5