Bug#840820: linux-image-grsec-amd64 kernel break CLONE_NEWUSER / newuidmap / unprivileged lxc containers

Thu, 17 Nov 2016 01:33:50 -0800 

On 11/15/2016 12:53 AM, Alex Mestiashvili wrote:
> Just stumbled upon the same problem, it seems that CLONE_NEWUSER  (
> and as the consequence unprivileged containers ) simply doesn't work
> with grecurity patched kernel, see:
>
>  https://forums.grsecurity.net/viewtopic.php?f=3&t=3929
>
> You can see if  "user namespaces" works with this code:
> https://lwn.net/Articles/539941/
>
I find out the problem is new[ug]idmap, patch new[ug]idmap.c (uidmap
package) solved it,

I attached patches for your reference.

Thanks.




--- newgidmap.c.orig	2016-11-17 17:29:16.164529187 +0800
+++ newgidmap.c	2016-11-17 17:28:22.904741277 +0800
@@ -159,7 +159,11 @@
 	if ((getuid() != pw->pw_uid) ||
 	    (getgid() != pw->pw_gid) ||
 	    (pw->pw_uid != st.st_uid) ||
-	    (pw->pw_gid != st.st_gid)) {
+	    (pw->pw_gid != st.st_gid && st.st_gid != 64044)) {
+		fprintf(stderr, _( "getuid(%lu) != pw->pw_uid(%lu)\n" ), getuid(), pw->pw_uid);
+                fprintf(stderr, _( "getgid(%lu) != pw->pw_gid(%lu)\n" ), getgid(), pw->pw_gid);
+                fprintf(stderr, _( "pw->pw_uid(%lu) != st.st_uid(%lu)\n" ), pw->pw_uid, st.st_uid);
+                fprintf(stderr, _( "pw->pw_gid(%lu) != st.st_gid(%lu)\n" ), pw->pw_gid, st.st_gid);
 		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
 			Prog, target);
 		return EXIT_FAILURE;

--- newuidmap.c.orig	2016-11-17 17:28:53.124620939 +0800
+++ newuidmap.c	2016-11-17 17:28:22.908741260 +0800
@@ -159,7 +159,12 @@
 	if ((getuid() != pw->pw_uid) ||
 	    (getgid() != pw->pw_gid) ||
 	    (pw->pw_uid != st.st_uid) ||
-	    (pw->pw_gid != st.st_gid)) {
+	    (pw->pw_gid != st.st_gid && st.st_gid != 64044)) {
+		fprintf(stderr, _( "getuid(%lu) != pw->pw_uid(%lu)\n" ), getuid(), pw->pw_uid);
+		fprintf(stderr, _( "getgid(%lu) != pw->pw_gid(%lu)\n" ), getgid(), pw->pw_gid);
+		fprintf(stderr, _( "pw->pw_uid(%lu) != st.st_uid(%lu)\n" ), pw->pw_uid, st.st_uid);
+		fprintf(stderr, _( "pw->pw_gid(%lu) != st.st_gid(%lu)\n" ), pw->pw_gid, st.st_gid);
+
 		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
 			Prog, target);
 		return EXIT_FAILURE;

Attachment: 0xCF2C80AC.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to