Commit 5af662030e5db1a5560fd917250d5d688a6be586
1 parent
a29c33f4e5
Exists in
master
and in
20 other branches
userns: Convert ptrace, kill, set_priority permission checks to work with kuids and kgids
Update the permission checks to use the new uid_eq and gid_eq helpers and remove the now unnecessary user_ns equality comparison. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Showing 3 changed files with 20 additions and 26 deletions Side-by-side Diff
kernel/ptrace.c
... | ... | @@ -198,13 +198,12 @@ |
198 | 198 | return 0; |
199 | 199 | rcu_read_lock(); |
200 | 200 | tcred = __task_cred(task); |
201 | - if (cred->user_ns == tcred->user_ns && | |
202 | - (cred->uid == tcred->euid && | |
203 | - cred->uid == tcred->suid && | |
204 | - cred->uid == tcred->uid && | |
205 | - cred->gid == tcred->egid && | |
206 | - cred->gid == tcred->sgid && | |
207 | - cred->gid == tcred->gid)) | |
201 | + if (uid_eq(cred->uid, tcred->euid) && | |
202 | + uid_eq(cred->uid, tcred->suid) && | |
203 | + uid_eq(cred->uid, tcred->uid) && | |
204 | + gid_eq(cred->gid, tcred->egid) && | |
205 | + gid_eq(cred->gid, tcred->sgid) && | |
206 | + gid_eq(cred->gid, tcred->gid)) | |
208 | 207 | goto ok; |
209 | 208 | if (ptrace_has_cap(tcred->user_ns, mode)) |
210 | 209 | goto ok; |
kernel/signal.c
... | ... | @@ -767,11 +767,10 @@ |
767 | 767 | const struct cred *cred = current_cred(); |
768 | 768 | const struct cred *tcred = __task_cred(t); |
769 | 769 | |
770 | - if (cred->user_ns == tcred->user_ns && | |
771 | - (cred->euid == tcred->suid || | |
772 | - cred->euid == tcred->uid || | |
773 | - cred->uid == tcred->suid || | |
774 | - cred->uid == tcred->uid)) | |
770 | + if (uid_eq(cred->euid, tcred->suid) || | |
771 | + uid_eq(cred->euid, tcred->uid) || | |
772 | + uid_eq(cred->uid, tcred->suid) || | |
773 | + uid_eq(cred->uid, tcred->uid)) | |
775 | 774 | return 1; |
776 | 775 | |
777 | 776 | if (ns_capable(tcred->user_ns, CAP_KILL)) |
... | ... | @@ -1389,10 +1388,8 @@ |
1389 | 1388 | struct task_struct *target) |
1390 | 1389 | { |
1391 | 1390 | const struct cred *pcred = __task_cred(target); |
1392 | - if (cred->user_ns != pcred->user_ns) | |
1393 | - return 0; | |
1394 | - if (cred->euid != pcred->suid && cred->euid != pcred->uid && | |
1395 | - cred->uid != pcred->suid && cred->uid != pcred->uid) | |
1391 | + if (!uid_eq(cred->euid, pcred->suid) && !uid_eq(cred->euid, pcred->uid) && | |
1392 | + !uid_eq(cred->uid, pcred->suid) && !uid_eq(cred->uid, pcred->uid)) | |
1396 | 1393 | return 0; |
1397 | 1394 | return 1; |
1398 | 1395 | } |
kernel/sys.c
... | ... | @@ -131,9 +131,8 @@ |
131 | 131 | { |
132 | 132 | const struct cred *cred = current_cred(), *pcred = __task_cred(p); |
133 | 133 | |
134 | - if (pcred->user_ns == cred->user_ns && | |
135 | - (pcred->uid == cred->euid || | |
136 | - pcred->euid == cred->euid)) | |
134 | + if (uid_eq(pcred->uid, cred->euid) || | |
135 | + uid_eq(pcred->euid, cred->euid)) | |
137 | 136 | return true; |
138 | 137 | if (ns_capable(pcred->user_ns, CAP_SYS_NICE)) |
139 | 138 | return true; |
... | ... | @@ -1582,13 +1581,12 @@ |
1582 | 1581 | return 0; |
1583 | 1582 | |
1584 | 1583 | tcred = __task_cred(task); |
1585 | - if (cred->user_ns == tcred->user_ns && | |
1586 | - (cred->uid == tcred->euid && | |
1587 | - cred->uid == tcred->suid && | |
1588 | - cred->uid == tcred->uid && | |
1589 | - cred->gid == tcred->egid && | |
1590 | - cred->gid == tcred->sgid && | |
1591 | - cred->gid == tcred->gid)) | |
1584 | + if (uid_eq(cred->uid, tcred->euid) && | |
1585 | + uid_eq(cred->uid, tcred->suid) && | |
1586 | + uid_eq(cred->uid, tcred->uid) && | |
1587 | + gid_eq(cred->gid, tcred->egid) && | |
1588 | + gid_eq(cred->gid, tcred->sgid) && | |
1589 | + gid_eq(cred->gid, tcred->gid)) | |
1592 | 1590 | return 0; |
1593 | 1591 | if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE)) |
1594 | 1592 | return 0; |