Skip to content

L
linux
Commit 5af66203 authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files
Options

userns: Convert ptrace, kill, set_priority permission checks to work with kuids and kgids 

Update the permission checks to use the new uid_eq and gid_eq helpers
and remove the now unnecessary user_ns equality comparison.
Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent a29c33f4
Hide whitespace changes
Inline Side-by-side
Showing with 20 additions and 26 deletions
kernel/ptrace.c
View file @ 5af66203
...@@ -198,13 +198,12 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) ...@@ -198,13 +198,12 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
return 0; return 0;
rcu_read_lock(); rcu_read_lock();
tcred = __task_cred(task); tcred = __task_cred(task);
if (cred->user_ns == tcred->user_ns && if (uid_eq(cred->uid, tcred->euid) &&
(cred->uid == tcred->euid && uid_eq(cred->uid, tcred->suid) &&
cred->uid == tcred->suid && uid_eq(cred->uid, tcred->uid) &&
cred->uid == tcred->uid && gid_eq(cred->gid, tcred->egid) &&
cred->gid == tcred->egid && gid_eq(cred->gid, tcred->sgid) &&
cred->gid == tcred->sgid && gid_eq(cred->gid, tcred->gid))
cred->gid == tcred->gid))
goto ok; goto ok;
if (ptrace_has_cap(tcred->user_ns, mode)) if (ptrace_has_cap(tcred->user_ns, mode))
goto ok; goto ok;
......
kernel/signal.c
View file @ 5af66203
...@@ -767,11 +767,10 @@ static int kill_ok_by_cred(struct task_struct *t) ...@@ -767,11 +767,10 @@ static int kill_ok_by_cred(struct task_struct *t)
const struct cred *cred = current_cred(); const struct cred *cred = current_cred();
const struct cred *tcred = __task_cred(t); const struct cred *tcred = __task_cred(t);
if (cred->user_ns == tcred->user_ns && if (uid_eq(cred->euid, tcred->suid) ||
(cred->euid == tcred->suid || uid_eq(cred->euid, tcred->uid) ||
cred->euid == tcred->uid || uid_eq(cred->uid, tcred->suid) ||
cred->uid == tcred->suid || uid_eq(cred->uid, tcred->uid))
cred->uid == tcred->uid))
return 1; return 1;
if (ns_capable(tcred->user_ns, CAP_KILL)) if (ns_capable(tcred->user_ns, CAP_KILL))
...@@ -1389,10 +1388,8 @@ static int kill_as_cred_perm(const struct cred *cred, ...@@ -1389,10 +1388,8 @@ static int kill_as_cred_perm(const struct cred *cred,
struct task_struct *target) struct task_struct *target)
{ {
const struct cred *pcred = __task_cred(target); const struct cred *pcred = __task_cred(target);
if (cred->user_ns != pcred->user_ns) if (!uid_eq(cred->euid, pcred->suid) && !uid_eq(cred->euid, pcred->uid) &&
return 0; !uid_eq(cred->uid, pcred->suid) && !uid_eq(cred->uid, pcred->uid))
if (cred->euid != pcred->suid && cred->euid != pcred->uid &&
cred->uid != pcred->suid && cred->uid != pcred->uid)
return 0; return 0;
return 1; return 1;
} }
......
kernel/sys.c
View file @ 5af66203
...@@ -131,9 +131,8 @@ static bool set_one_prio_perm(struct task_struct *p) ...@@ -131,9 +131,8 @@ static bool set_one_prio_perm(struct task_struct *p)
{ {
const struct cred *cred = current_cred(), *pcred = __task_cred(p); const struct cred *cred = current_cred(), *pcred = __task_cred(p);
if (pcred->user_ns == cred->user_ns && if (uid_eq(pcred->uid, cred->euid) ||
(pcred->uid == cred->euid || uid_eq(pcred->euid, cred->euid))
pcred->euid == cred->euid))
return true; return true;
if (ns_capable(pcred->user_ns, CAP_SYS_NICE)) if (ns_capable(pcred->user_ns, CAP_SYS_NICE))
return true; return true;
...@@ -1582,13 +1581,12 @@ static int check_prlimit_permission(struct task_struct *task) ...@@ -1582,13 +1581,12 @@ static int check_prlimit_permission(struct task_struct *task)
return 0; return 0;
tcred = __task_cred(task); tcred = __task_cred(task);
if (cred->user_ns == tcred->user_ns && if (uid_eq(cred->uid, tcred->euid) &&
(cred->uid == tcred->euid && uid_eq(cred->uid, tcred->suid) &&
cred->uid == tcred->suid && uid_eq(cred->uid, tcred->uid) &&
cred->uid == tcred->uid && gid_eq(cred->gid, tcred->egid) &&
cred->gid == tcred->egid && gid_eq(cred->gid, tcred->sgid) &&
cred->gid == tcred->sgid && gid_eq(cred->gid, tcred->gid))
cred->gid == tcred->gid))
return 0; return 0;
if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE)) if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE))
return 0; return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7