Require CAP_SYS_ADMIN in the root user namespace for TTY theft

PiperOrigin-RevId: 318563543
author: Kevin Krakauer <krakauer@google.com> 2020-06-26 16:23:15 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-06-26 16:24:39 -0700
commit: 9cfc15497581824f1c6ba2b9f9ee653d0be0bc5a (patch)
tree: 0d11a48c87597dc08188437f72733de9da0c9024 /pkg/sentry/kernel
parent: e6a90baef1e6921c560c939f4b591163004613b9 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/thread_group.go b/pkg/sentry/kernel/thread_group.go
index 52849f5b3..4dfd2c990 100644
--- a/pkg/sentry/kernel/thread_group.go
+++ b/pkg/sentry/kernel/thread_group.go
@@ -366,7 +366,8 @@ func (tg *ThreadGroup) SetControllingTTY(tty *TTY, arg int32) error {
 	// terminal is stolen, and all processes that had it as controlling
 	// terminal lose it." - tty_ioctl(4)
 	if tty.tg != nil && tg.processGroup.session != tty.tg.processGroup.session {
-		if !auth.CredentialsFromContext(tg.leader).HasCapability(linux.CAP_SYS_ADMIN) || arg != 1 {
+		// Stealing requires CAP_SYS_ADMIN in the root user namespace.
+		if creds := auth.CredentialsFromContext(tg.leader); !creds.HasCapabilityIn(linux.CAP_SYS_ADMIN, creds.UserNamespace.Root()) || arg != 1 {
 			return syserror.EPERM
 		}
 		// Steal the TTY away. Unlike TIOCNOTTY, don't send signals.
author	Kevin Krakauer <krakauer@google.com>	2020-06-26 16:23:15 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-06-26 16:24:39 -0700
commit	9cfc15497581824f1c6ba2b9f9ee653d0be0bc5a (patch)
tree	0d11a48c87597dc08188437f72733de9da0c9024 /pkg/sentry/kernel
parent	e6a90baef1e6921c560c939f4b591163004613b9 (diff)