Commit 5af662030e5db1a5560fd917250d5d688a6be586
1 parent
a29c33f4e5
Exists in
master
and in
20 other branches
userns: Convert ptrace, kill, set_priority permission checks to work with kuids and kgids
Update the permission checks to use the new uid_eq and gid_eq helpers and remove the now unnecessary user_ns equality comparison. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Showing 3 changed files with 20 additions and 26 deletions Side-by-side Diff
kernel/ptrace.c
| ... | ... | @@ -198,13 +198,12 @@ |
| 198 | 198 | return 0; |
| 199 | 199 | rcu_read_lock(); |
| 200 | 200 | tcred = __task_cred(task); |
| 201 | - if (cred->user_ns == tcred->user_ns && | |
| 202 | - (cred->uid == tcred->euid && | |
| 203 | - cred->uid == tcred->suid && | |
| 204 | - cred->uid == tcred->uid && | |
| 205 | - cred->gid == tcred->egid && | |
| 206 | - cred->gid == tcred->sgid && | |
| 207 | - cred->gid == tcred->gid)) | |
| 201 | + if (uid_eq(cred->uid, tcred->euid) && | |
| 202 | + uid_eq(cred->uid, tcred->suid) && | |
| 203 | + uid_eq(cred->uid, tcred->uid) && | |
| 204 | + gid_eq(cred->gid, tcred->egid) && | |
| 205 | + gid_eq(cred->gid, tcred->sgid) && | |
| 206 | + gid_eq(cred->gid, tcred->gid)) | |
| 208 | 207 | goto ok; |
| 209 | 208 | if (ptrace_has_cap(tcred->user_ns, mode)) |
| 210 | 209 | goto ok; |
kernel/signal.c
| ... | ... | @@ -767,11 +767,10 @@ |
| 767 | 767 | const struct cred *cred = current_cred(); |
| 768 | 768 | const struct cred *tcred = __task_cred(t); |
| 769 | 769 | |
| 770 | - if (cred->user_ns == tcred->user_ns && | |
| 771 | - (cred->euid == tcred->suid || | |
| 772 | - cred->euid == tcred->uid || | |
| 773 | - cred->uid == tcred->suid || | |
| 774 | - cred->uid == tcred->uid)) | |
| 770 | + if (uid_eq(cred->euid, tcred->suid) || | |
| 771 | + uid_eq(cred->euid, tcred->uid) || | |
| 772 | + uid_eq(cred->uid, tcred->suid) || | |
| 773 | + uid_eq(cred->uid, tcred->uid)) | |
| 775 | 774 | return 1; |
| 776 | 775 | |
| 777 | 776 | if (ns_capable(tcred->user_ns, CAP_KILL)) |
| ... | ... | @@ -1389,10 +1388,8 @@ |
| 1389 | 1388 | struct task_struct *target) |
| 1390 | 1389 | { |
| 1391 | 1390 | const struct cred *pcred = __task_cred(target); |
| 1392 | - if (cred->user_ns != pcred->user_ns) | |
| 1393 | - return 0; | |
| 1394 | - if (cred->euid != pcred->suid && cred->euid != pcred->uid && | |
| 1395 | - cred->uid != pcred->suid && cred->uid != pcred->uid) | |
| 1391 | + if (!uid_eq(cred->euid, pcred->suid) && !uid_eq(cred->euid, pcred->uid) && | |
| 1392 | + !uid_eq(cred->uid, pcred->suid) && !uid_eq(cred->uid, pcred->uid)) | |
| 1396 | 1393 | return 0; |
| 1397 | 1394 | return 1; |
| 1398 | 1395 | } |
kernel/sys.c
| ... | ... | @@ -131,9 +131,8 @@ |
| 131 | 131 | { |
| 132 | 132 | const struct cred *cred = current_cred(), *pcred = __task_cred(p); |
| 133 | 133 | |
| 134 | - if (pcred->user_ns == cred->user_ns && | |
| 135 | - (pcred->uid == cred->euid || | |
| 136 | - pcred->euid == cred->euid)) | |
| 134 | + if (uid_eq(pcred->uid, cred->euid) || | |
| 135 | + uid_eq(pcred->euid, cred->euid)) | |
| 137 | 136 | return true; |
| 138 | 137 | if (ns_capable(pcred->user_ns, CAP_SYS_NICE)) |
| 139 | 138 | return true; |
| ... | ... | @@ -1582,13 +1581,12 @@ |
| 1582 | 1581 | return 0; |
| 1583 | 1582 | |
| 1584 | 1583 | tcred = __task_cred(task); |
| 1585 | - if (cred->user_ns == tcred->user_ns && | |
| 1586 | - (cred->uid == tcred->euid && | |
| 1587 | - cred->uid == tcred->suid && | |
| 1588 | - cred->uid == tcred->uid && | |
| 1589 | - cred->gid == tcred->egid && | |
| 1590 | - cred->gid == tcred->sgid && | |
| 1591 | - cred->gid == tcred->gid)) | |
| 1584 | + if (uid_eq(cred->uid, tcred->euid) && | |
| 1585 | + uid_eq(cred->uid, tcred->suid) && | |
| 1586 | + uid_eq(cred->uid, tcred->uid) && | |
| 1587 | + gid_eq(cred->gid, tcred->egid) && | |
| 1588 | + gid_eq(cred->gid, tcred->sgid) && | |
| 1589 | + gid_eq(cred->gid, tcred->gid)) | |
| 1592 | 1590 | return 0; |
| 1593 | 1591 | if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE)) |
| 1594 | 1592 | return 0; |