diff options
| author | Serge E. Hallyn <serge@hallyn.com> | 2011-03-23 19:43:24 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-23 22:47:08 -0400 |
| commit | b0e77598f87107001a00b8a4ece9c95e4254ccc4 (patch) | |
| tree | 2738276570e4faa7c92a64521c192f04dca93801 /include/linux/ipc_namespace.h | |
| parent | b515498f5bb5f38fc0e390b4ff7d00b6077de127 (diff) | |
userns: user namespaces: convert several capable() calls
CAP_IPC_OWNER and CAP_IPC_LOCK can be checked against current_user_ns(),
because the resource comes from current's own ipc namespace.
setuid/setgid are to uids in own namespace, so again checks can be against
current_user_ns().
Changelog:
Jan 11: Use task_ns_capable() in place of sched_capable().
Jan 11: Use nsown_capable() as suggested by Bastian Blank.
Jan 11: Clarify (hopefully) some logic in futex and sched.c
Feb 15: use ns_capable for ipc, not nsown_capable
Feb 23: let copy_ipcs handle setting ipc_ns->user_ns
Feb 23: pass ns down rather than taking it from current
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: David Howells <dhowells@redhat.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include/linux/ipc_namespace.h')
| -rw-r--r-- | include/linux/ipc_namespace.h | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h index d3c32dcec623..a6d1655f9607 100644 --- a/include/linux/ipc_namespace.h +++ b/include/linux/ipc_namespace.h | |||
| @@ -5,6 +5,7 @@ | |||
| 5 | #include <linux/idr.h> | 5 | #include <linux/idr.h> |
| 6 | #include <linux/rwsem.h> | 6 | #include <linux/rwsem.h> |
| 7 | #include <linux/notifier.h> | 7 | #include <linux/notifier.h> |
| 8 | #include <linux/nsproxy.h> | ||
| 8 | 9 | ||
| 9 | /* | 10 | /* |
| 10 | * ipc namespace events | 11 | * ipc namespace events |
| @@ -93,7 +94,7 @@ static inline int mq_init_ns(struct ipc_namespace *ns) { return 0; } | |||
| 93 | 94 | ||
| 94 | #if defined(CONFIG_IPC_NS) | 95 | #if defined(CONFIG_IPC_NS) |
| 95 | extern struct ipc_namespace *copy_ipcs(unsigned long flags, | 96 | extern struct ipc_namespace *copy_ipcs(unsigned long flags, |
| 96 | struct ipc_namespace *ns); | 97 | struct task_struct *tsk); |
| 97 | static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) | 98 | static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) |
| 98 | { | 99 | { |
| 99 | if (ns) | 100 | if (ns) |
| @@ -104,12 +105,12 @@ static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) | |||
| 104 | extern void put_ipc_ns(struct ipc_namespace *ns); | 105 | extern void put_ipc_ns(struct ipc_namespace *ns); |
| 105 | #else | 106 | #else |
| 106 | static inline struct ipc_namespace *copy_ipcs(unsigned long flags, | 107 | static inline struct ipc_namespace *copy_ipcs(unsigned long flags, |
| 107 | struct ipc_namespace *ns) | 108 | struct task_struct *tsk) |
| 108 | { | 109 | { |
| 109 | if (flags & CLONE_NEWIPC) | 110 | if (flags & CLONE_NEWIPC) |
| 110 | return ERR_PTR(-EINVAL); | 111 | return ERR_PTR(-EINVAL); |
| 111 | 112 | ||
| 112 | return ns; | 113 | return tsk->nsproxy->ipc_ns; |
| 113 | } | 114 | } |
| 114 | 115 | ||
| 115 | static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) | 116 | static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) |