[PATCH 05/14] userns: clamp down users of cap_raised
Vasiliy Kulikov
segooon at gmail.com
Thu Jul 28 16:23:37 PDT 2011
On Tue, Jul 26, 2011 at 18:58 +0000, Serge Hallyn wrote:
> From: Serge E. Hallyn <serge.hallyn at canonical.com>
>
> A few modules are using cap_raised(current_cap(), cap) to authorize
> actions, but the privilege should be applicable against the initial
> user namespace. Refuse privilege if the caller is not in init_user_ns.
>
> Signed-off-by: Serge E. Hallyn <serge.hallyn at canonical.com>
> Cc: Eric W. Biederman <ebiederm at xmission.com>
> ---
> drivers/block/drbd/drbd_nl.c | 5 +++++
> drivers/md/dm-log-userspace-transfer.c | 3 +++
> drivers/staging/pohmelfs/config.c | 3 +++
> drivers/video/uvesafb.c | 3 +++
> 4 files changed, 14 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
> index 515bcd9..7717f8a 100644
> --- a/drivers/block/drbd/drbd_nl.c
> +++ b/drivers/block/drbd/drbd_nl.c
> @@ -2297,6 +2297,11 @@ static void drbd_connector_callback(struct cn_msg *req, struct netlink_skb_parms
> return;
> }
>
> + if (current_user_ns() != &init_user_ns) {
[...]
> if (!cap_raised(current_cap(), CAP_SYS_ADMIN)) {
[...]
Looks like it is an often pattern. Maybe move both checks to a
function?
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
More information about the Containers
mailing list