"Aneesh Kumar K.V" <aneesh.ku...@linux.vnet.ibm.com> writes:
> The following changes since commit 16c6c80ac3a772b42a87b77dfdf0fdac7c607b0e:
>
> Open up 1.4 development branch (2012-12-03 14:08:40 -0600)
>
> are available in the git repository at:
>
> git://github.com/kvaneesh/qemu.git for-upstream
>
> for you to fetch changes up to 9fd2ecdc8cb2dc1a8a7c57b6c9c60bc9947b6a73:
>
> virtfs-proxy-helper: use setresuid and setresgid (2012-12-05 21:55:54 +0530)
>
Pulled. Thanks.
Regards,
Anthony Liguori
> ----------------------------------------------------------------
> Paolo Bonzini (1):
> virtfs-proxy-helper: use setresuid and setresgid
>
> fsdev/virtfs-proxy-helper.c | 93
> +++++++++++++++++++++++++++++--------------
> 1 file changed, 64 insertions(+), 29 deletions(-)
>
> diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
> index f9a8270..df2a939 100644
> --- a/fsdev/virtfs-proxy-helper.c
> +++ b/fsdev/virtfs-proxy-helper.c
> @@ -272,31 +272,76 @@ static int send_status(int sockfd, struct iovec *iovec,
> int status)
> /*
> * from man 7 capabilities, section
> * Effect of User ID Changes on Capabilities:
> - * 4. If the file system user ID is changed from 0 to nonzero (see
> setfsuid(2))
> - * then the following capabilities are cleared from the effective set:
> - * CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID,
> - * CAP_LINUX_IMMUTABLE (since Linux 2.2.30), CAP_MAC_OVERRIDE, and
> CAP_MKNOD
> - * (since Linux 2.2.30). If the file system UID is changed from nonzero to 0,
> - * then any of these capabilities that are enabled in the permitted set
> - * are enabled in the effective set.
> + * If the effective user ID is changed from nonzero to 0, then the permitted
> + * set is copied to the effective set. If the effective user ID is changed
> + * from 0 to nonzero, then all capabilities are are cleared from the
> effective
> + * set.
> + *
> + * The setfsuid/setfsgid man pages warn that changing the effective user ID
> may
> + * expose the program to unwanted signals, but this is not true anymore: for
> an
> + * unprivileged (without CAP_KILL) program to send a signal, the real or
> + * effective user ID of the sending process must equal the real or saved user
> + * ID of the target process. Even when dropping privileges, it is enough to
> + * keep the saved UID to a "privileged" value and virtfs-proxy-helper won't
> + * be exposed to signals. So just use setresuid/setresgid.
> */
> -static int setfsugid(int uid, int gid)
> +static int setugid(int uid, int gid, int *suid, int *sgid)
> {
> + int retval;
> +
> /*
> - * We still need DAC_OVERRIDE because we don't change
> + * We still need DAC_OVERRIDE because we don't change
> * supplementary group ids, and hence may be subjected DAC rules
> */
> cap_value_t cap_list[] = {
> CAP_DAC_OVERRIDE,
> };
>
> - setfsgid(gid);
> - setfsuid(uid);
> + *suid = geteuid();
> + *sgid = getegid();
> +
> + if (setresgid(-1, gid, *sgid) == -1) {
> + retval = -errno;
> + goto err_out;
> + }
> +
> + if (setresuid(-1, uid, *suid) == -1) {
> + retval = -errno;
> + goto err_sgid;
> + }
>
> if (uid != 0 || gid != 0) {
> - return do_cap_set(cap_list, ARRAY_SIZE(cap_list), 0);
> + if (do_cap_set(cap_list, ARRAY_SIZE(cap_list), 0) < 0) {
> + retval = -errno;
> + goto err_suid;
> + }
> }
> return 0;
> +
> +err_suid:
> + if (setresuid(-1, *suid, *suid) == -1) {
> + abort();
> + }
> +err_sgid:
> + if (setresgid(-1, *sgid, *sgid) == -1) {
> + abort();
> + }
> +err_out:
> + return retval;
> +}
> +
> +/*
> + * This is used to reset the ugid back with the saved values
> + * There is nothing much we can do checking error values here.
> + */
> +static void resetugid(int suid, int sgid)
> +{
> + if (setresgid(-1, sgid, sgid) == -1) {
> + abort();
> + }
> + if (setresuid(-1, suid, suid) == -1) {
> + abort();
> + }
> }
>
> /*
> @@ -578,18 +623,15 @@ static int do_create_others(int type, struct iovec
> *iovec)
>
> v9fs_string_init(&path);
> v9fs_string_init(&oldpath);
> - cur_uid = geteuid();
> - cur_gid = getegid();
>
> retval = proxy_unmarshal(iovec, offset, "dd", &uid, &gid);
> if (retval < 0) {
> return retval;
> }
> offset += retval;
> - retval = setfsugid(uid, gid);
> + retval = setugid(uid, gid, &cur_uid, &cur_gid);
> if (retval < 0) {
> - retval = -errno;
> - goto err_out;
> + goto unmarshal_err_out;
> }
> switch (type) {
> case T_MKNOD:
> @@ -619,9 +661,10 @@ static int do_create_others(int type, struct iovec
> *iovec)
> }
>
> err_out:
> + resetugid(cur_uid, cur_gid);
> +unmarshal_err_out:
> v9fs_string_free(&path);
> v9fs_string_free(&oldpath);
> - setfsugid(cur_uid, cur_gid);
> return retval;
> }
>
> @@ -641,24 +684,16 @@ static int do_create(struct iovec *iovec)
> if (ret < 0) {
> goto unmarshal_err_out;
> }
> - cur_uid = geteuid();
> - cur_gid = getegid();
> - ret = setfsugid(uid, gid);
> + ret = setugid(uid, gid, &cur_uid, &cur_gid);
> if (ret < 0) {
> - /*
> - * On failure reset back to the
> - * old uid/gid
> - */
> - ret = -errno;
> - goto err_out;
> + goto unmarshal_err_out;
> }
> ret = open(path.data, flags, mode);
> if (ret < 0) {
> ret = -errno;
> }
>
> -err_out:
> - setfsugid(cur_uid, cur_gid);
> + resetugid(cur_uid, cur_gid);
> unmarshal_err_out:
> v9fs_string_free(&path);
> return ret;
