[PATCH v2] userns: improve uid/gid map collision detection

[Aristeu Rozanski]

userns: improve uid/gid map collision detection

Initial implementation of the uid/gid maps (/proc/<pid>/{u,g}id_map) will
enforce that the UID and GID maps be written in strict order as a simple
way to check for range collision:
        local id        mapped to       count/range
        0               1000            50
        (ids 0-50 get mapped to 1000-1050)
        100             2120            10
        500             5000            200
so for each new entry, local id must be bigger than last local id (plus
count) and the ids it maps to also needs to be bigger than the last
entry (plus count).

This makes impossible to have a use case like this:
        local id        mapped to       count/range
        0               1000            1
        48              500             20

because while 48+20 > 0+1, 500+20 < 1000+1.

This patch implements a more elaborate collision detection allowing any
order to be used.

v2: improved the patch description as requested by Andrew

Cc: Andrew Morton <a...@linux-foundation.org>
Cc: "Eric W. Biederman" <ebied...@xmission.com>
Cc: "Serge E. Hallyn" <se...@hallyn.com>
Cc: linux-security-mod...@vger.kernel.org
Signed-off-by: Aristeu Rozanski <a...@redhat.com>

diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 2b042c4..fb0e492 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -521,6 +521,28 @@ struct seq_operations proc_projid_seq_operations = {
 
 static DEFINE_MUTEX(id_map_mutex);
 
+#define in_range(b,first,len) ((b)>=(first)&&(b)<(first)+(len))
+static inline int extent_collision(struct uid_gid_map *new_map,
+                                  struct uid_gid_extent *extent)
+{
+       int i;
+       struct uid_gid_extent *cur;
+
+       for (i = 0; i < new_map->nr_extents; i++) {
+               cur = &new_map->extent[i];
+               if (in_range(extent->first, cur->first, cur->count) ||
+                   in_range(extent->first + extent->count, cur->first,
+                            cur->count))
+                       return 1;
+               if (in_range(extent->lower_first, cur->lower_first,
+                            cur->count) ||
+                   in_range(extent->lower_first + extent->count,
+                            cur->lower_first, cur->count))
+                       return 1;
+       }
+       return 0;
+}
+
 static ssize_t map_write(struct file *file, const char __user *buf,
                         size_t count, loff_t *ppos,
                         int cap_setid,
@@ -634,10 +656,7 @@ static ssize_t map_write(struct file *file, const char 
__user *buf,
                if ((extent->lower_first + extent->count) <= 
extent->lower_first)
                        goto out;
 
-               /* For now only accept extents that are strictly in order */
-               if (last &&
-                   (((last->first + last->count) > extent->first) ||
-                    ((last->lower_first + last->count) > extent->lower_first)))
+               if (extent_collision(&new_map, extent))
                        goto out;
 
                new_map.nr_extents++;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/