userns: Fail exec for suid and sgid binaries with ids outside our user namespace.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

diff --git a/fs/exec.c b/fs/exec.c
index 00ae2ef100d8ad3b01c2cc71ffbbba899b979d58..e001bdfac5306391a74ded9ea0a5ac4efd856892 100644 (file)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1291,8 +1291,11 @@ int prepare_binprm(struct linux_binprm *bprm)
        if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
                /* Set-uid? */
                if (mode & S_ISUID) {
+                       if (!kuid_has_mapping(bprm->cred->user_ns, inode->i_uid))
+                               return -EPERM;
                        bprm->per_clear |= PER_CLEAR_ON_SETID;
                        bprm->cred->euid = inode->i_uid;
+
                }
 
                /* Set-gid? */
@@ -1302,6 +1305,8 @@ int prepare_binprm(struct linux_binprm *bprm)
                 * executable.
                 */
                if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+                       if (!kgid_has_mapping(bprm->cred->user_ns, inode->i_gid))
+                               return -EPERM;
                        bprm->per_clear |= PER_CLEAR_ON_SETID;
                        bprm->cred->egid = inode->i_gid;
                }