agp: remove uid comparison as security check

In the face of containers and user namespaces, a uid==0 check for security is not safe. Switch to a capability check. I'm not sure I picked the right capability, but this being AGP CAP_SYS_RAWIO seemed to make sense. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
author: serue@us.ibm.com <serue@us.ibm.com> 2007-12-05 16:55:36 -0500
committer: Dave Airlie <airlied@redhat.com> 2008-02-04 23:33:32 -0500
commit: 62f29babbc60ab572d3cecda981931d3a66123d6 (patch)
tree: 54d041eaaf9fe1db8bb16a0206c53e53d2b7d44b /drivers/char/agp/frontend.c
parent: 1fa4db7d308da04f6644c5cb8eed244c200d4ed5 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
index 9bd5a958954c..55d7a82bd071 100644
--- a/drivers/char/agp/frontend.c
+++ b/drivers/char/agp/frontend.c
@@ -689,7 +689,7 @@ static int agp_open(struct inode *inode, struct file *file)
        set_bit(AGP_FF_ALLOW_CLIENT, &priv->access_flags);
        priv->my_pid = current->pid;
-        if ((current->uid == 0) || (current->suid == 0)) {
+        if (capable(CAP_SYS_RAWIO)) {
                /* Root priv, can be controller */
                set_bit(AGP_FF_ALLOW_CONTROLLER, &priv->access_flags);
        }
author	serue@us.ibm.com <serue@us.ibm.com>	2007-12-05 16:55:36 -0500
committer	Dave Airlie <airlied@redhat.com>	2008-02-04 23:33:32 -0500
commit	62f29babbc60ab572d3cecda981931d3a66123d6 (patch)
tree	54d041eaaf9fe1db8bb16a0206c53e53d2b7d44b /drivers/char/agp/frontend.c
parent	1fa4db7d308da04f6644c5cb8eed244c200d4ed5 (diff)

diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c index 9bd5a958954c..55d7a82bd071 100644 --- a/drivers/char/agp/frontend.c +++ b/drivers/char/agp/frontend.c
@@ -689,7 +689,7 @@ static int agp_open(struct inode inode, struct file file)
689	set_bit(AGP_FF_ALLOW_CLIENT, &priv->access_flags);	689	set_bit(AGP_FF_ALLOW_CLIENT, &priv->access_flags);
690	priv->my_pid = current->pid;	690	priv->my_pid = current->pid;
691		691
692	if ((current->uid == 0) \|\| (current->suid == 0)) {	692	if (capable(CAP_SYS_RAWIO)) {
693	/* Root priv, can be controller */	693	/* Root priv, can be controller */
694	set_bit(AGP_FF_ALLOW_CONTROLLER, &priv->access_flags);	694	set_bit(AGP_FF_ALLOW_CONTROLLER, &priv->access_flags);
695	}	695	}