Accepting request 893218 from network:samba:STABLE

OBS-URL: https://build.opensuse.org/request/show/893218 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cifs-utils?expand=0&rev=68
2021-05-18 16:26:45 +00:00 · 2021-05-18 16:26:45 +00:00 · 441119c9ce
commit 441119c9ce
parent 07c5d3dc0c e6a130724b
7 changed files with 34 additions and 288 deletions
--- a/0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch
+++ b/0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch
@ -1,264 +0,0 @@
 From e461afd8cfa6d0781ae0c5c10e89b6ef1ca6da32 Mon Sep 17 00:00:00 2001
 From: Alastair Houghton <alastair@alastairs-place.net>
 Date: Tue, 29 Dec 2020 14:02:39 +0000
 Subject: [PATCH] cifs.upcall: try to use container ipc/uts/net/pid/mnt/user
 namespaces
 In certain scenarios (e.g. kerberos multimount), when a process does
 syscalls, the kernel sometimes has to query information or trigger
 some actions in userspace. To do so it calls the cifs.upcall binary
 with information on the process that triggered the syscall in the
 first place.
 ls(pid=10) ====> open("foo") ====> kernel
                                   that user doesn't have an SMB
                                   session, lets create one using his
                                   kerberos credential cache
                                   call cifs.upcall and ask for krb info
                                   for whoever owns pid=10
                                                         |
                  cifs.upcall --pid 10 <=================+
               ...gather info...
                  return binary blob used
                  when establishing SMB session
                        ===================> kernel
                                              open SMB session, handle
                                              open() syscall
 ls <===================================   return open() result to ls
 On a system using containers, the kernel is still calling the host
 cifs.upcall and using the host configuration (for network, pid, etc).
 This patch changes the behaviour of cifs.upcall so that it uses the
 calling process namespaces (ls in the example) when doing its
 job.
 Note that the kernel still calls the binary in the host, but the
 binary will place itself the contexts of the calling process
 namespaces.
 This code makes use of (but shouldn't require) the following kernel
 config options and syscall flags:
 approx. year   |
 introduced     |  config/flags
 ---------------+----------------
 2008           | CONFIG_NAMESPACES=y
 2007           | CONFIG_UTS_NS=y
 2020           | CONFIG_TIME_NS=y
 2006           | CONFIG_IPC_NS=y
 2007           | CONFIG_USER_NS
 2008           | CONFIG_PID_NS=y
 2007           | CONFIG_NET_NS=y
 2007           | CONFIG_CGROUPS
 2016           | CLONE_NEWCGROUP setns() flag
 Signed-off-by: Aurelien Aptel <aaptel@suse.com>
 Signed-off-by: Alastair Houghton <alastair@alastairs-place.net>
 ---
 cifs.upcall.c | 172 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 172 insertions(+)
 diff --git a/cifs.upcall.c b/cifs.upcall.c
 index 400b42d..e413934 100644
 --- a/cifs.upcall.c
 +++ b/cifs.upcall.c
@@ -51,6 +51,7 @@
 #include <grp.h>
 #include <stdbool.h>
 #include <errno.h>
 +#include <sched.h>
 #include "data_blob.h"
 #include "spnego.h"
@@ -240,6 +241,164 @@ err_cache:
 	return credtime;
 }
 +static struct namespace_file {
 +	int nstype;
 +	const char *name;
 +	int fd;
 +} namespace_files[] = {
 +
 +#ifdef CLONE_NEWCGROUP
 +	{ CLONE_NEWCGROUP, "cgroup", -1 },
 +#endif
 +
 +#ifdef CLONE_NEWIPC
 +	{ CLONE_NEWIPC, "ipc", -1 },
 +#endif
 +
 +#ifdef CLONE_NEWUTS
 +	{ CLONE_NEWUTS, "uts", -1 },
 +#endif
 +
 +#ifdef CLONE_NEWNET
 +	{ CLONE_NEWNET, "net", -1 },
 +#endif
 +
 +#ifdef CLONE_NEWPID
 +	{ CLONE_NEWPID, "pid", -1 },
 +#endif
 +
 +#ifdef CLONE_NEWTIME
 +	{ CLONE_NEWTIME, "time", -1 },
 +#endif
 +
 +#ifdef CLONE_NEWNS
 +	{ CLONE_NEWNS, "mnt", -1 },
 +#endif
 +
 +#ifdef CLONE_NEWUSER
 +	{ CLONE_NEWUSER, "user", -1 },
 +#endif
 +};
 +
 +#define NS_PATH_FMT    "/proc/%d/ns/%s"
 +#define NS_PATH_MAXLEN (6 + 10 + 4 + 6 + 1)
 +
 +/**
 + * in_same_user_ns - return true if two processes are in the same user
 + *                   namespace.
 + * @pid_a: the pid of the first process
 + * @pid_b: the pid of the second process
 + *
 + * Works by comparing the inode numbers for /proc/<pid>/user.
 + */
 +static int
 +in_same_user_ns(pid_t pid_a, pid_t pid_b)
 +{
 +	char path[NS_PATH_MAXLEN];
 +	ino_t a_ino, b_ino;
 +	struct stat st;
 +
 +	snprintf(path, sizeof(path), NS_PATH_FMT, pid_a, "user");
 +	if (stat(path, &st) != 0)
 +		return 0;
 +	a_ino = st.st_ino;
 +
 +	snprintf(path, sizeof(path), NS_PATH_FMT, pid_b, "user");
 +	if (stat(path, &st) != 0)
 +		return 0;
 +	b_ino = st.st_ino;
 +
 +	return a_ino == b_ino;
 +}
 +
 +/**
 + * switch_to_process_ns - change the namespace to the one for the specified
 + *                        process.
 + * @pid: initiating pid value from the upcall string
 + *
 + * Uses setns() to switch process namespace.
 + * This ensures that we have the same access and configuration as the
 + * process that triggered the lookup.
 + */
 +static int
 +switch_to_process_ns(pid_t pid)
 +{
 +	int count = sizeof(namespace_files) / sizeof(struct namespace_file);
 +	int n, err = 0;
 +	int rc = 0;
 +
 +	/* First, open all the namespace fds.  We do this first because
 +	   the namespace changes might prohibit us from opening them. */
 +	for (n = 0; n < count; ++n) {
 +		char nspath[NS_PATH_MAXLEN];
 +		int ret, fd;
 +
 +#ifdef CLONE_NEWUSER
 +		if (namespace_files[n].nstype == CLONE_NEWUSER
 +		    && in_same_user_ns(getpid(), pid)) {
 +			/* Switching to the same user namespace is forbidden,
 +			   because switching to a user namespace grants all
 +			   capabilities in that namespace regardless of uid. */
 +			namespace_files[n].fd = -1;
 +			continue;
 +		}
 +#endif
 +
 +		ret = snprintf(nspath, NS_PATH_MAXLEN, NS_PATH_FMT,
 +			       pid, namespace_files[n].name);
 +		if (ret >= NS_PATH_MAXLEN) {
 +			syslog(LOG_DEBUG, "%s: unterminated path!\n", __func__);
 +			err = ENAMETOOLONG;
 +			rc = -1;
 +			goto out;
 +		}
 +
 +		fd = open(nspath, O_RDONLY);
 +		if (fd < 0 && errno != ENOENT) {
 +			/*
 +			 * don't stop on non-existing ns
 +			 * but stop for other errors
 +			 */
 +			err = errno;
 +			rc = -1;
 +			goto out;
 +		}
 +
 +		namespace_files[n].fd = fd;
 +	}
 +
 +	/* Next, call setns for each of them */
 +	for (n = 0; n < count; ++n) {
 +		/* skip non-existing ns */
 +		if (namespace_files[n].fd < 0)
 +			continue;
 +
 +		rc = setns(namespace_files[n].fd, namespace_files[n].nstype);
 +
 +		if (rc < 0) {
 +			syslog(LOG_DEBUG, "%s: setns() failed for %s\n",
 +			       __func__, namespace_files[n].name);
 +			err = errno;
 +			goto out;
 +		}
 +	}
 +
 +out:
 +	/* Finally, close all the fds */
 +	for (n = 0; n < count; ++n) {
 +		if (namespace_files[n].fd != -1) {
 +			close(namespace_files[n].fd);
 +			namespace_files[n].fd = -1;
 +		}
 +	}
 +
 +	if (rc != 0) {
 +		errno = err;
 +	}
 +
 +	return rc;
 +}
 +
 #define	ENV_PATH_FMT			"/proc/%d/environ"
 #define	ENV_PATH_MAXLEN			(6 + 10 + 8 + 1)
@@ -1109,6 +1268,19 @@ int main(const int argc, char *const argv[])
 	env_cachename =
 		get_cachename_from_process_env(env_probe ? arg.pid : 0);
 +	/*
 +	 * Change to the process's namespace. This means that things will work
 +	 * acceptably in containers, because we'll be looking at the correct
 +	 * filesystem and have the correct network configuration.
 +	 */
 +	rc = switch_to_process_ns(arg.pid);
 +	if (rc == -1) {
 +		syslog(LOG_ERR, "unable to switch to process namespace: %s",
 +		       strerror(errno));
 +		rc = 1;
 +		goto out;
 +	}
 +
 	rc = setuid(uid);
 	if (rc == -1) {
 		syslog(LOG_ERR, "setuid: %s", strerror(errno));
 -- 
 2.30.0
--- a/cifs-utils-6.12.tar.bz2
+++ b/cifs-utils-6.12.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:922ddcc3059922e80789312c386b9c569991b4350d3ae3099de3e4b82f3885ef
 size 413393
--- a/cifs-utils-6.12.tar.bz2.asc
+++ b/cifs-utils-6.12.tar.bz2.asc
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 iQIcBAABCAAGBQJf7h0CAAoJEN9bqdMGQtWg7GUP/j0ls0bLmbu8vLkUIzMNkCF3
 VpR8E90uH6oVaqgzmCN4sQOUjR6mr6OClugfp198sfuEQOSF+7Al88Yn/wlVwSPM
 a//lqbfqt0oQW9YbdaxTHsLXAh7D/0WZQaN7fTgVMiqivy5i/ePykpBpq7druVgB
 iI71383V4GBgOGlyTmmZKwLgXzg2EF5OV8S10PO8cOmoKzQNkIllGM0wdOfO06zq
 Y6kRjU/JEip8aV4Wiv9Y37TfByQJVNBEAscOX6XODTaIGOjbl+INcnfzDyvQS28a
 0p8QHQk02lNhOiuWIppbW1lIHAvkEWTrrguULj7ZbBfYNkmPwdzUHmLipYUaPzh+
 VPqRRz83DA4ydGNYQHNbGmZN5mml7+/d673Jj3YzbHFuyHBktgSJznBPhiSJfIC0
 2oPiKy5NbIi7iAWHx6A/tXYYZ6Zq6F3cig+aAt+HK4BkYQZhFqKuT1Yi74W0wXYu
 97euqf2OV/ephMMdj5Cuy6CgSSvWW+p8Ysz6UqeF3sE5M4VyfQeXLbJz3p7MCF2+
 PxiqUhS97HR/P3Wuo4I+W09mUE+vom8dEOGUKRDqqro9qhdhwfKUMFMoKHPL22sG
 MnrMHYl5e5E+/8OIexRe79TT2R3sWGwCfaN+BZ1CZwkPftl8OBS1yf1jn6RZNdCT
 R0qOv4DIo0BD62jpjZWq
 =AHIm
 -----END PGP SIGNATURE-----
--- a/cifs-utils-6.13.tar.bz2
+++ b/cifs-utils-6.13.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:43d8786c8613caccfa84913081c1d62bc2409575854cf895b05b48af0863d056
 size 414584
--- a/cifs-utils-6.13.tar.bz2.asc
+++ b/cifs-utils-6.13.tar.bz2.asc
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 iQIcBAABCAAGBQJgdN7mAAoJEN9bqdMGQtWgGscP/3Cw/twYIV+O6jjdio/Xpqgq
 P3hcWeZWaT0WqspG47mFmlfb3Iy99EeqC5ZkhKOobHkMW1V02I86GpfcTqUezghk
 ZzEI/QSbjco1235HWUNcXzvH7O3tzKP5dvts2TVsE7/HBICgOetVEDDdZc5LEtrS
 EqkpOOtTS6VIFaX8iWNzq6wBWcUfnwwvS9NS1653KZs5LzqIq/Svvk9n7D1sqU1E
 406s5Kk79knnEUp0X8Yd9uY9UAupeJffF788MEdDDRKI1IlmBVsjmq1hv7R27jXH
 ojZQRfkyBgOGGAJysrlxNigC4bcQD4RI/tglAOf4a+nami/Lj/1M0mUJ6m67ggPR
 aJq/HpQiqHrk1ukkDj7vnV5zEiD4hn8tqlgJGOB3wbjQxNHb40OM2kVc5uC3TnzJ
 hMR5JISO1dTDL3hX8rcq6Bj35RLUKDX1H5/t/ug9+Ux1zqq17CkXezzoyEcqVBj4
 ygJuyuiNZdvewIH5TXYocP3jxAo4LNGFOiJboxu298hA5o4MX8YeCmAiDwkGDTvg
 UwfXOe6XkU07F+RIXQ5BibkwNn29hHRXwt6TKBo6RJ90Fi9SU9arPTQN1c+veDWh
 WGJqbKKariCO4Sl9dIQ/hjnxcBDnC+gPiONFNT/0YEEcWUFPVSFQ2O3BtB4Vt+bt
 YmOPUy27OTAIMtaJvhR7
 =dxGs
 -----END PGP SIGNATURE-----
--- a/cifs-utils.changes
+++ b/cifs-utils.changes
@ -1,3 +1,15 @@
 -------------------------------------------------------------------
 Fri May 14 11:13:47 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
 - Update to cifs-utils 6.13
  * Fixes CVE-2021-20208, cifs.upcall kerberos auth leak in container
  * remove cifs-utils-6.12.tar.bz2
  * remove cifs-utils-6.12.tar.bz2.asc
  * add    cifs-utils-6.13.tar.bz2
  * add    cifs-utils-6.13.tar.bz2.asc
 - Drop upstream fixed patches:
  * 0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch
 -------------------------------------------------------------------
 Fri Apr 23 10:41:59 UTC 2021 - Aurelien Aptel <aaptel@suse.com>
--- a/cifs-utils.spec
+++ b/cifs-utils.spec
@ -21,7 +21,7 @@
 %endif
 Name:           cifs-utils
-Version:        6.12
+Version:        6.13
 Release:        0
 Summary:        Utilities for doing and managing mounts of the Linux CIFS filesystem
 License:        GPL-3.0-or-later
@ -37,8 +37,7 @@ Source100:      README.cifstab.migration
 Source1:        cifs.init
 Patch1:         fix-sbin-install-error.patch
-Patch2:         0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch
+Patch2:         0001-cifs.upcall-fix-regression-in-kerberos-mount.patch
 Patch3:         0001-cifs.upcall-fix-regression-in-kerberos-mount.patch
 # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
 # /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
@ -136,7 +135,6 @@ done
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %build
 export CFLAGS="%{optflags} -D_GNU_SOURCE -fpie"