Re: [PATCH] cgroup-v1: Correct privileges check in release_agent writes

From: Tejun Heo
Date: Tue Feb 22 2022 - 13:13:15 EST

Next message: Bjorn Andersson: "Re: [PATCH v2 09/15] scsi: ufs: deprecate 'freq-table-hz' property"
Previous message: Daniel Lezcano: "Re: [PATCH 1/2] thermal: cooling: Check Energy Model type in cpufreq_cooling and devfreq_cooling"
In reply to: Masami Ichikawa(CIP): "Re: [PATCH] cgroup-v1: Correct privileges check in release_agent writes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 17, 2022 at 05:11:28PM +0100, Michal Koutný wrote:
> The idea is to check: a) the owning user_ns of cgroup_ns, b)
> capabilities in init_user_ns.
>
> The commit 24f600856418 ("cgroup-v1: Require capabilities to set
> release_agent") got this wrong in the write handler of release_agent
> since it checked user_ns of the opener (may be different from the owning
> user_ns of cgroup_ns).
> Secondly, to avoid possibly confused deputy, the capability of the
> opener must be checked.
>
> Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent")
> Cc: stable@xxxxxxxxxxxxxxx
> Link: https://lore.kernel.org/stable/20220216121142.GB30035@xxxxxxxxxxxxxxxxx/
> Signed-off-by: Michal Koutný <mkoutny@xxxxxxxx>

Applied to cgroup/for-5.17-fixes.

Thanks.

--
tejun

Next message: Bjorn Andersson: "Re: [PATCH v2 09/15] scsi: ufs: deprecate 'freq-table-hz' property"
Previous message: Daniel Lezcano: "Re: [PATCH 1/2] thermal: cooling: Check Energy Model type in cpufreq_cooling and devfreq_cooling"
In reply to: Masami Ichikawa(CIP): "Re: [PATCH] cgroup-v1: Correct privileges check in release_agent writes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]