| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cd485888-1e49-199a-a51b-537dbb1fe0f3@fb.com>
Date: Wed, 22 Mar 2017 12:25:30 -0700
From: Alexei Starovoitov <ast@...com>
To: Lorenzo Colitti <lorenzo@...gle.com>,
Willem de Bruijn <willemdebruijn.kernel@...il.com>
CC: Chenbo Feng <chenbofeng.kernel@...il.com>,
Network Development <netdev@...r.kernel.org>,
David Miller <davem@...emloft.net>,
Daniel Borkmann <daniel@...earbox.net>,
Willem de Bruijn <willemb@...gle.com>,
Chenbo Feng <fengc@...gle.com>
Subject: Re: [PATCH net-next v7 2/3] Add a eBPF helper function to retrieve
socket uid
On 3/22/17 5:06 AM, Lorenzo Colitti wrote:
> On Wed, Mar 22, 2017 at 8:09 PM, Willem de Bruijn
> <willemdebruijn.kernel@...il.com> wrote:
>>> + if (!sk || !sk_fullsock(sk))
>>> + return overflowuid;
>>> + kuid = sock_net_uid(sock_net(sk), sk);
>>> + return from_kuid_munged(&init_user_ns, kuid);
>>
>> Ideally, this would be the user namespace relative to the BPF program.
>
> What about sock_net(sk)->user_ns? We've already matched a socket, and
> it's guaranteed to be a full socket and non-NULL (otherwise we've
> already returned overflowuid), so it seems like the most correct
> namespace to use is the one of the socket we've matched. Given that sk
> is non-NULL, sock_net_uid just returns sk->sk_uid, so I think you can
> just write this as:
>
> if (!sk || !sk_fullsock(sk))
> return overflowuid;
> return from_kuid_munged(sock_net(sk)->user_ns, sk->uid);
>
makes sense to me.
Powered by blists - more mailing lists