AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
4665722d36
kernel_optimize_test/kernel/cgroup
History
Tejun Heo 4665722d36 cgroup: Use open-time credentials for process migraton perm checks 
commit 1756d7994ad85c2479af6ae5a9750b92324685af upstream.

cgroup process migration permission checks are performed at write time as
whether a given operation is allowed or not is dependent on the content of
the write - the PID. This currently uses current's credentials which is a
potential security weakness as it may allow scenarios where a less
privileged process tricks a more privileged one into writing into a fd that
it created.

This patch makes both cgroup2 and cgroup1 process migration interfaces to
use the credentials saved at the time of open (file->f_cred) instead of
current's.

Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
Fixes: 187fe84067 ("cgroup: require write perm on common ancestor when moving processes on the default hierarchy")
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[OP: apply original __cgroup_procs_write() changes to cgroup_threads_write()
and cgroup_procs_write(), as the refactoring commit da70862efe006 ("cgroup:
cgroup.{procs,threads} factor out common parts") is not present in 5.10-stable]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-04-13 21:01:10 +02:00
..
cgroup-internal.h cgroup: Use open-time cgroup namespace for process migration perm checks 2022-03-28 09:57:07 +02:00
cgroup-v1.c cgroup: Use open-time credentials for process migraton perm checks 2022-04-13 21:01:10 +02:00
cgroup.c cgroup: Use open-time credentials for process migraton perm checks 2022-04-13 21:01:10 +02:00
cpuset.c cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug 2022-03-02 11:42:45 +01:00
debug.c kernel: cgroup: fix misuse of %x 2019-05-06 08:47:48 -07:00
freezer.c cgroup: freezer: don't change task and cgroups status unnecessarily 2019-11-07 07:38:41 -08:00
legacy_freezer.c cgroup: rename freezer.c into legacy_freezer.c 2019-04-19 11:26:48 -07:00
Makefile cgroup: cgroup v2 freezer 2019-04-19 11:26:48 -07:00
namespace.c nsproxy: add struct nsset 2020-05-09 13:57:12 +02:00
pids.c clone3: allow spawning processes into cgroups 2020-02-12 17:57:51 -05:00
rdma.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 451 2019-06-19 17:09:08 +02:00
rstat.c cgroup: Fix rootcg cpu.stat guest double counting 2021-11-18 14:04:13 +01:00