files-reg: restore PR_SET_DUMPABLE flag after setfsuid

Restore dumpable flag after setfsuid to assure that created /proc/self/* file inode had task's credentials. Without it it would have root creds and trying to access proc files of task will fail from non-root user in generic vfs permission check. Signed-off-by: Dmitry Safonov <dsafonov@odin.com> Acked-by: Andrew Vagin <avagin@virtuozzo.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

files-reg: restore PR_SET_DUMPABLE flag after setfsuid
Restore dumpable flag after setfsuid to assure that created /proc/self/* file inode had task's credentials. Without it it would have root creds and trying to access proc files of task will fail from non-root user in generic vfs permission check. Signed-off-by: Dmitry Safonov <dsafonov@odin.com> Acked-by: Andrew Vagin <avagin@virtuozzo.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
95cb2ddb · Dmitry Safonov · Pavel Emelyanov · 48b19662 · 95cb2ddb
Commit 95cb2ddb authored Dec 18, 2015 by Dmitry Safonov Committed by Pavel Emelyanov Dec 18, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

files-reg.c files-reg.c +10 -1

No files found.
--- a/files-reg.c
+++ b/files-reg.c
@@ -1091,13 +1091,22 @@ static int linkat_hard(int odir, char *opath, int ndir, char *npath, uid_t owner
 	if (root_ns_mask & CLONE_NEWUSER) {
 		setfsuid(old_fsuid);
-		if (setfsuid(-1) != old_fsuid)
+		if (setfsuid(-1) != old_fsuid) {
 			pr_warn("Failed to restore old fsuid!\n");
 			/*
 			 * Don't fail here. We still have chances to run till
 			 * the pie/restorer, and if _this_ guy fails to set
 			 * the proper fsuid, then we'll abort the restore.
 			 */
+		}
+		/*
+		 * Restoring PR_SET_DUMPABLE flag is required after setfsuid,
+		 * as if it not set, proc inode will be created with root cred
+		 * (see proc_pid_make_inode), which will result in permission
+		 * check fail when trying to access files in /proc/self/
+		 */
+		prctl(PR_SET_DUMPABLE, 1, 0);
 	}
 	errno = errno_save;