summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/state/state_unsafe.go
diff options
context:
space:
mode:
authorJamie Liu <jamieliu@google.com>2020-05-04 18:00:56 -0700
committergVisor bot <gvisor-bot@google.com>2020-05-05 09:19:52 -0700
commit35951c3671f3d429399eb581ad9da3b56e2a5f5a (patch)
tree292f00eb8943be7cdf261bfeb75bd9b517b96d69 /pkg/sentry/state/state_unsafe.go
parentda71dc7fddda387232b243c6176de21a1208ad0c (diff)
Translate p9.NoUID/GID to OverflowUID/GID.
p9.NoUID/GID (== uint32(-1) == auth.NoID) is not a valid auth.KUID/KGID; in particular, using it for file ownership causes capabilities to be ineffective since file capabilities require that the file's KUID and KGID are mapped into the capability holder's user namespace [1], and auth.NoID is not mapped into any user namespace. Map p9.NoUID/GID to a different, valid KUID/KGID; in the unlikely case that an application actually using the overflow KUID/KGID attempts an operation that is consequently permitted by client permission checks, the remote operation will still fail with EPERM. Since this changes the VFS2 gofer client to no longer ignore the invalid IDs entirely, this CL both permits and requires that we change synthetic mount point creation to use root credentials. [1] See fs.Inode.CheckCapability or vfs.GenericCheckPermissions. PiperOrigin-RevId: 309856455
Diffstat (limited to 'pkg/sentry/state/state_unsafe.go')
0 files changed, 0 insertions, 0 deletions