[PATCH 3/5] pid: use namespaced iteration on processes while setting capability
Eric W. Biederman
ebiederm at xmission.com
Thu Dec 18 09:35:18 PST 2008
Gowrishankar M <gowrishankar.m at linux.vnet.ibm.com> writes:
> From: Gowrishankar M <gomuthuk at linux.vnet.ibm.com>
>
> In piece of dead code, cap_set_all() propogates through processes outside
> PID namespace, as iteration is always in init PID namespace.
>
> Below patch adjusts macro controller to use do_each_thread_in_ns() so that
> only processes in current namespace are scanned
Yes. This case in capability.c needs to be fixed.
Acked-by: "Eric W. Biederman" <ebiederm at xmission.com>
> Signed-off-by: Gowrishankar M <gowrishankar.m at linux.vnet.ibm.com>
> ---
> kernel/capability.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/capability.c b/kernel/capability.c
> index 33e51e7..e3e3765 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -201,7 +201,7 @@ static inline int cap_set_all(kernel_cap_t *effective,
> spin_lock(&task_capability_lock);
> read_lock(&tasklist_lock);
>
> - do_each_thread(g, target) {
> + do_each_thread_in_ns(g, target, current->nsproxy->pid_ns) {
> if (target == current
> || is_container_init(target->group_leader))
> continue;
> --
> 1.5.5.1
More information about the Containers
mailing list