diff --git a/0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch b/0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch deleted file mode 100644 index ce7b68d..0000000 --- a/0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch +++ /dev/null @@ -1,264 +0,0 @@ -From e461afd8cfa6d0781ae0c5c10e89b6ef1ca6da32 Mon Sep 17 00:00:00 2001 -From: Alastair Houghton -Date: Tue, 29 Dec 2020 14:02:39 +0000 -Subject: [PATCH] cifs.upcall: try to use container ipc/uts/net/pid/mnt/user - namespaces - -In certain scenarios (e.g. kerberos multimount), when a process does -syscalls, the kernel sometimes has to query information or trigger -some actions in userspace. To do so it calls the cifs.upcall binary -with information on the process that triggered the syscall in the -first place. - -ls(pid=10) ====> open("foo") ====> kernel - - that user doesn't have an SMB - session, lets create one using his - kerberos credential cache - - call cifs.upcall and ask for krb info - for whoever owns pid=10 - | - cifs.upcall --pid 10 <=================+ - - ...gather info... - return binary blob used - when establishing SMB session - ===================> kernel - open SMB session, handle - open() syscall -ls <=================================== return open() result to ls - -On a system using containers, the kernel is still calling the host -cifs.upcall and using the host configuration (for network, pid, etc). - -This patch changes the behaviour of cifs.upcall so that it uses the -calling process namespaces (ls in the example) when doing its -job. - -Note that the kernel still calls the binary in the host, but the -binary will place itself the contexts of the calling process -namespaces. - -This code makes use of (but shouldn't require) the following kernel -config options and syscall flags: - -approx. year | -introduced | config/flags ----------------+---------------- -2008 | CONFIG_NAMESPACES=y -2007 | CONFIG_UTS_NS=y -2020 | CONFIG_TIME_NS=y -2006 | CONFIG_IPC_NS=y -2007 | CONFIG_USER_NS -2008 | CONFIG_PID_NS=y -2007 | CONFIG_NET_NS=y -2007 | CONFIG_CGROUPS -2016 | CLONE_NEWCGROUP setns() flag - -Signed-off-by: Aurelien Aptel -Signed-off-by: Alastair Houghton ---- - cifs.upcall.c | 172 ++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 172 insertions(+) - -diff --git a/cifs.upcall.c b/cifs.upcall.c -index 400b42d..e413934 100644 ---- a/cifs.upcall.c -+++ b/cifs.upcall.c -@@ -51,6 +51,7 @@ - #include - #include - #include -+#include - - #include "data_blob.h" - #include "spnego.h" -@@ -240,6 +241,164 @@ err_cache: - return credtime; - } - -+static struct namespace_file { -+ int nstype; -+ const char *name; -+ int fd; -+} namespace_files[] = { -+ -+#ifdef CLONE_NEWCGROUP -+ { CLONE_NEWCGROUP, "cgroup", -1 }, -+#endif -+ -+#ifdef CLONE_NEWIPC -+ { CLONE_NEWIPC, "ipc", -1 }, -+#endif -+ -+#ifdef CLONE_NEWUTS -+ { CLONE_NEWUTS, "uts", -1 }, -+#endif -+ -+#ifdef CLONE_NEWNET -+ { CLONE_NEWNET, "net", -1 }, -+#endif -+ -+#ifdef CLONE_NEWPID -+ { CLONE_NEWPID, "pid", -1 }, -+#endif -+ -+#ifdef CLONE_NEWTIME -+ { CLONE_NEWTIME, "time", -1 }, -+#endif -+ -+#ifdef CLONE_NEWNS -+ { CLONE_NEWNS, "mnt", -1 }, -+#endif -+ -+#ifdef CLONE_NEWUSER -+ { CLONE_NEWUSER, "user", -1 }, -+#endif -+}; -+ -+#define NS_PATH_FMT "/proc/%d/ns/%s" -+#define NS_PATH_MAXLEN (6 + 10 + 4 + 6 + 1) -+ -+/** -+ * in_same_user_ns - return true if two processes are in the same user -+ * namespace. -+ * @pid_a: the pid of the first process -+ * @pid_b: the pid of the second process -+ * -+ * Works by comparing the inode numbers for /proc//user. -+ */ -+static int -+in_same_user_ns(pid_t pid_a, pid_t pid_b) -+{ -+ char path[NS_PATH_MAXLEN]; -+ ino_t a_ino, b_ino; -+ struct stat st; -+ -+ snprintf(path, sizeof(path), NS_PATH_FMT, pid_a, "user"); -+ if (stat(path, &st) != 0) -+ return 0; -+ a_ino = st.st_ino; -+ -+ snprintf(path, sizeof(path), NS_PATH_FMT, pid_b, "user"); -+ if (stat(path, &st) != 0) -+ return 0; -+ b_ino = st.st_ino; -+ -+ return a_ino == b_ino; -+} -+ -+/** -+ * switch_to_process_ns - change the namespace to the one for the specified -+ * process. -+ * @pid: initiating pid value from the upcall string -+ * -+ * Uses setns() to switch process namespace. -+ * This ensures that we have the same access and configuration as the -+ * process that triggered the lookup. -+ */ -+static int -+switch_to_process_ns(pid_t pid) -+{ -+ int count = sizeof(namespace_files) / sizeof(struct namespace_file); -+ int n, err = 0; -+ int rc = 0; -+ -+ /* First, open all the namespace fds. We do this first because -+ the namespace changes might prohibit us from opening them. */ -+ for (n = 0; n < count; ++n) { -+ char nspath[NS_PATH_MAXLEN]; -+ int ret, fd; -+ -+#ifdef CLONE_NEWUSER -+ if (namespace_files[n].nstype == CLONE_NEWUSER -+ && in_same_user_ns(getpid(), pid)) { -+ /* Switching to the same user namespace is forbidden, -+ because switching to a user namespace grants all -+ capabilities in that namespace regardless of uid. */ -+ namespace_files[n].fd = -1; -+ continue; -+ } -+#endif -+ -+ ret = snprintf(nspath, NS_PATH_MAXLEN, NS_PATH_FMT, -+ pid, namespace_files[n].name); -+ if (ret >= NS_PATH_MAXLEN) { -+ syslog(LOG_DEBUG, "%s: unterminated path!\n", __func__); -+ err = ENAMETOOLONG; -+ rc = -1; -+ goto out; -+ } -+ -+ fd = open(nspath, O_RDONLY); -+ if (fd < 0 && errno != ENOENT) { -+ /* -+ * don't stop on non-existing ns -+ * but stop for other errors -+ */ -+ err = errno; -+ rc = -1; -+ goto out; -+ } -+ -+ namespace_files[n].fd = fd; -+ } -+ -+ /* Next, call setns for each of them */ -+ for (n = 0; n < count; ++n) { -+ /* skip non-existing ns */ -+ if (namespace_files[n].fd < 0) -+ continue; -+ -+ rc = setns(namespace_files[n].fd, namespace_files[n].nstype); -+ -+ if (rc < 0) { -+ syslog(LOG_DEBUG, "%s: setns() failed for %s\n", -+ __func__, namespace_files[n].name); -+ err = errno; -+ goto out; -+ } -+ } -+ -+out: -+ /* Finally, close all the fds */ -+ for (n = 0; n < count; ++n) { -+ if (namespace_files[n].fd != -1) { -+ close(namespace_files[n].fd); -+ namespace_files[n].fd = -1; -+ } -+ } -+ -+ if (rc != 0) { -+ errno = err; -+ } -+ -+ return rc; -+} -+ - #define ENV_PATH_FMT "/proc/%d/environ" - #define ENV_PATH_MAXLEN (6 + 10 + 8 + 1) - -@@ -1109,6 +1268,19 @@ int main(const int argc, char *const argv[]) - env_cachename = - get_cachename_from_process_env(env_probe ? arg.pid : 0); - -+ /* -+ * Change to the process's namespace. This means that things will work -+ * acceptably in containers, because we'll be looking at the correct -+ * filesystem and have the correct network configuration. -+ */ -+ rc = switch_to_process_ns(arg.pid); -+ if (rc == -1) { -+ syslog(LOG_ERR, "unable to switch to process namespace: %s", -+ strerror(errno)); -+ rc = 1; -+ goto out; -+ } -+ - rc = setuid(uid); - if (rc == -1) { - syslog(LOG_ERR, "setuid: %s", strerror(errno)); --- -2.30.0 - diff --git a/cifs-utils-6.12.tar.bz2 b/cifs-utils-6.12.tar.bz2 deleted file mode 100644 index 446187a..0000000 --- a/cifs-utils-6.12.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:922ddcc3059922e80789312c386b9c569991b4350d3ae3099de3e4b82f3885ef -size 413393 diff --git a/cifs-utils-6.12.tar.bz2.asc b/cifs-utils-6.12.tar.bz2.asc deleted file mode 100644 index ce15133..0000000 --- a/cifs-utils-6.12.tar.bz2.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iQIcBAABCAAGBQJf7h0CAAoJEN9bqdMGQtWg7GUP/j0ls0bLmbu8vLkUIzMNkCF3 -VpR8E90uH6oVaqgzmCN4sQOUjR6mr6OClugfp198sfuEQOSF+7Al88Yn/wlVwSPM -a//lqbfqt0oQW9YbdaxTHsLXAh7D/0WZQaN7fTgVMiqivy5i/ePykpBpq7druVgB -iI71383V4GBgOGlyTmmZKwLgXzg2EF5OV8S10PO8cOmoKzQNkIllGM0wdOfO06zq -Y6kRjU/JEip8aV4Wiv9Y37TfByQJVNBEAscOX6XODTaIGOjbl+INcnfzDyvQS28a -0p8QHQk02lNhOiuWIppbW1lIHAvkEWTrrguULj7ZbBfYNkmPwdzUHmLipYUaPzh+ -VPqRRz83DA4ydGNYQHNbGmZN5mml7+/d673Jj3YzbHFuyHBktgSJznBPhiSJfIC0 -2oPiKy5NbIi7iAWHx6A/tXYYZ6Zq6F3cig+aAt+HK4BkYQZhFqKuT1Yi74W0wXYu -97euqf2OV/ephMMdj5Cuy6CgSSvWW+p8Ysz6UqeF3sE5M4VyfQeXLbJz3p7MCF2+ -PxiqUhS97HR/P3Wuo4I+W09mUE+vom8dEOGUKRDqqro9qhdhwfKUMFMoKHPL22sG -MnrMHYl5e5E+/8OIexRe79TT2R3sWGwCfaN+BZ1CZwkPftl8OBS1yf1jn6RZNdCT -R0qOv4DIo0BD62jpjZWq -=AHIm ------END PGP SIGNATURE----- diff --git a/cifs-utils-6.13.tar.bz2 b/cifs-utils-6.13.tar.bz2 new file mode 100644 index 0000000..ea6b1ad --- /dev/null +++ b/cifs-utils-6.13.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:43d8786c8613caccfa84913081c1d62bc2409575854cf895b05b48af0863d056 +size 414584 diff --git a/cifs-utils-6.13.tar.bz2.asc b/cifs-utils-6.13.tar.bz2.asc new file mode 100644 index 0000000..c35ac4b --- /dev/null +++ b/cifs-utils-6.13.tar.bz2.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCAAGBQJgdN7mAAoJEN9bqdMGQtWgGscP/3Cw/twYIV+O6jjdio/Xpqgq +P3hcWeZWaT0WqspG47mFmlfb3Iy99EeqC5ZkhKOobHkMW1V02I86GpfcTqUezghk +ZzEI/QSbjco1235HWUNcXzvH7O3tzKP5dvts2TVsE7/HBICgOetVEDDdZc5LEtrS +EqkpOOtTS6VIFaX8iWNzq6wBWcUfnwwvS9NS1653KZs5LzqIq/Svvk9n7D1sqU1E +406s5Kk79knnEUp0X8Yd9uY9UAupeJffF788MEdDDRKI1IlmBVsjmq1hv7R27jXH +ojZQRfkyBgOGGAJysrlxNigC4bcQD4RI/tglAOf4a+nami/Lj/1M0mUJ6m67ggPR +aJq/HpQiqHrk1ukkDj7vnV5zEiD4hn8tqlgJGOB3wbjQxNHb40OM2kVc5uC3TnzJ +hMR5JISO1dTDL3hX8rcq6Bj35RLUKDX1H5/t/ug9+Ux1zqq17CkXezzoyEcqVBj4 +ygJuyuiNZdvewIH5TXYocP3jxAo4LNGFOiJboxu298hA5o4MX8YeCmAiDwkGDTvg +UwfXOe6XkU07F+RIXQ5BibkwNn29hHRXwt6TKBo6RJ90Fi9SU9arPTQN1c+veDWh +WGJqbKKariCO4Sl9dIQ/hjnxcBDnC+gPiONFNT/0YEEcWUFPVSFQ2O3BtB4Vt+bt +YmOPUy27OTAIMtaJvhR7 +=dxGs +-----END PGP SIGNATURE----- diff --git a/cifs-utils.changes b/cifs-utils.changes index 3deb669..04af84b 100644 --- a/cifs-utils.changes +++ b/cifs-utils.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Fri May 14 11:13:47 UTC 2021 - Ferdinand Thiessen + +- Update to cifs-utils 6.13 + * Fixes CVE-2021-20208, cifs.upcall kerberos auth leak in container + * remove cifs-utils-6.12.tar.bz2 + * remove cifs-utils-6.12.tar.bz2.asc + * add cifs-utils-6.13.tar.bz2 + * add cifs-utils-6.13.tar.bz2.asc +- Drop upstream fixed patches: + * 0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch + ------------------------------------------------------------------- Fri Apr 23 10:41:59 UTC 2021 - Aurelien Aptel diff --git a/cifs-utils.spec b/cifs-utils.spec index 685293d..22ff9da 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -21,7 +21,7 @@ %endif Name: cifs-utils -Version: 6.12 +Version: 6.13 Release: 0 Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem License: GPL-3.0-or-later @@ -37,8 +37,7 @@ Source100: README.cifstab.migration Source1: cifs.init Patch1: fix-sbin-install-error.patch -Patch2: 0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch -Patch3: 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch +Patch2: 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins @@ -136,7 +135,6 @@ done %patch1 -p1 %patch2 -p1 -%patch3 -p1 %build export CFLAGS="%{optflags} -D_GNU_SOURCE -fpie"