Re: CVE Request: Linux kernel: privilege escalation in user namespaces

[Jann Horn <jann () thejh net>]

On Thu, Dec 17, 2015 at 02:39:58PM -0800, John Johansen wrote:
> I haven't seen CVE request for this one yet so,
>
> Jann Horn reported a privilege escalation in user namespaces to the
> lkml mailing list
>
> https://lkml.org/lkml/2015/12/12/259
>
> if a root-owned process wants to enter a user
> namespace for some reason without knowing who owns it and
> therefore can't change to the namespace owner's uid and gid
> before entering, as soon as it has entered the namespace,
> the namespace owner can attach to it via ptrace and thereby
> gain access to its uid and gid.

I'm not sure whether this is CVE-worthy - the user_namespaces
manpage says "the process has full privileges for operations
inside the user namespace, but is unprivileged for operations
outside the namespace". ptrace()ing a process in the
namespace can reasonably be considered an "operation inside
the user namespace", and therefore the manpage kinda implies
the old behavior. (Yes, more detailed documentation would be
nicer, I might submit man-pages patches once my patches are
in a kernel release.)

In my opinion, this patch is somewhere between hardening and
a security feature, but I wouldn't really call it a vuln fix.

Attachment: signature.asc
Description: Digital signature