Re: [PATCH 4/7] allow killing tasks in your own or child userns
From: Serge Hallyn
Date: Mon Jan 10 2011 - 17:52:15 EST
Quoting Bastian Blank (bastian@xxxxxxxxxxxx):
> On Mon, Jan 10, 2011 at 09:13:34PM +0000, Serge E. Hallyn wrote:
> > + const struct cred *cred = current_cred();
> > + const struct cred *tcred = __task_cred(t);
> > +
> > + if (cred->user->user_ns != tcred->user->user_ns) {
> > + /* userids are not equivalent - either you have the
> > + capability to the target user ns or you don't */
> > + if (ns_capable(tcred->user->user_ns, CAP_KILL))
> > + return 1;
> > + return 0;
> > + }
> > +
> > + /* same user namespace - usual credentials checks apply */
> > + if ((cred->euid ^ tcred->suid) &&
> > + (cred->euid ^ tcred->uid) &&
> > + (cred->uid ^ tcred->suid) &&
> > + (cred->uid ^ tcred->uid) &&
> > + !ns_capable(tcred->user->user_ns, CAP_KILL))
> > + return 0;
> > +
> > + return 1;
>
> Isn't that equal to this?
>
> if (ns_capable(tcred->user->user_ns, CAP_KILL))
> return 1;
>
> if (cred->user->user_ns == tcred->user->user_ns &&
> (cred->euid == tcred->suid ||
> cred->euid == tcred->uid ||
> cred->uid == tcred->suid ||
> cred->uid == tcred->uid))
> return 1;
>
> return 0;
>
> I would consider this much easier to read.
Unfortunately, it's actually not equivalent. when capable()
returns success, then it sets the current->flags |= PF_SUPERPRIV.
If permission is granted based on userids and the capability
isn't needed, then we don't want to needlessly set PF_SUPERPRIV.
That's why I'm going to such lengths to call capable() as a last
resort.
I'm definately open to any ideas that'll get the code cleaner.
thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/