[lxc-devel] [PATCH RFC] Introduce new security.nscapability xattr
Jann Horn
jann at thejh.net
Wed Jan 20 12:14:52 UTC 2016
On Mon, Nov 30, 2015 at 04:43:56PM -0600, Serge E. Hallyn wrote:
> +int get_vfs_ns_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
> +{
[...]
> + /* find an applicable entry */
> + /* a global entry (uid == -1) takes precedence */
> + current_root = make_kuid(current_user_ns(), 0);
> + if (!uid_valid(current_root)) {
> + /* no root user in this namespace; no capabilities */
> + ret = -EINVAL;
> + goto out;
> + }
> +
> + for (i = 0, cap = (void *) hdr + sizeof(*hdr); i < ncaps; cap += sizeof(*cap), i++) {
> + uid_t uid = le32_to_cpu(cap->rootid);
> + if (uid == -1) {
> + nscap = cap;
> + break;
> + }
> +
> + caprootuid = make_kuid(&init_user_ns, uid);
> + if (uid_eq(caprootuid, current_root))
> + nscap = cap;
> + }
Wouldn't it be more consistent to check against the root uids of all parent
namespaces until one matches?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160120/98ba0031/attachment.sig>
More information about the lxc-devel
mailing list