Re: [PATCH 3/7] pipe: actually allow root to exceed the pipe buffer limits

[Eric Biggers]

On Tue, Jan 09, 2018 at 02:23:32PM -0800, Kees Cook wrote:
> On Sun, Jan 7, 2018 at 9:35 PM, Eric Biggers <ebiggers3@xxxxxxxxx> wrote:
> > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> >
> > pipe-user-pages-hard and pipe-user-pages-soft are only supposed to apply
> > to unprivileged users, as documented in both Documentation/sysctl/fs.txt
> > and the pipe(7) man page.
> >
> > However, the capabilities are actually only checked when increasing a
> > pipe's size using F_SETPIPE_SZ, not when creating a new pipe.
> > Therefore, if pipe-user-pages-hard has been set, the root user can run
> > into it and be unable to create pipes.  Similarly, if
> > pipe-user-pages-soft has been set, the root user can run into it and
> > have their pipes limited to 1 page each.
> >
> > Fix this by allowing the privileged override in both cases.
> 
> Should this be controlled per-namespace instead of via init-ns caps?
> 

I don't think so.  Users shouldn't be able to bypass the limits by creating a
user namespace.

Eric