| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Jan 2016 13:14:52 +0100
From: Jann Horn <jann@...jh.net>
To: "Serge E. Hallyn" <serge.hallyn@...ntu.com>
Cc: lkml <linux-kernel@...r.kernel.org>,
Andrew Morgan <morgan@...nel.org>,
Andy Lutomirski <luto@...capital.net>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
lxc-devel@...ts.linuxcontainers.org,
Richard Weinberger <richard@....at>,
LSM <linux-security-module@...r.kernel.org>,
linux-api@...r.kernel.org, keescook@...omium.org
Subject: Re: [PATCH RFC] Introduce new security.nscapability xattr
On Mon, Nov 30, 2015 at 04:43:56PM -0600, Serge E. Hallyn wrote:
> +int get_vfs_ns_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
> +{
[...]
> + /* find an applicable entry */
> + /* a global entry (uid == -1) takes precedence */
> + current_root = make_kuid(current_user_ns(), 0);
> + if (!uid_valid(current_root)) {
> + /* no root user in this namespace; no capabilities */
> + ret = -EINVAL;
> + goto out;
> + }
> +
> + for (i = 0, cap = (void *) hdr + sizeof(*hdr); i < ncaps; cap += sizeof(*cap), i++) {
> + uid_t uid = le32_to_cpu(cap->rootid);
> + if (uid == -1) {
> + nscap = cap;
> + break;
> + }
> +
> + caprootuid = make_kuid(&init_user_ns, uid);
> + if (uid_eq(caprootuid, current_root))
> + nscap = cap;
> + }
Wouldn't it be more consistent to check against the root uids of all parent
namespaces until one matches?
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists