Re: [PATCH] cgroup-v1: Correct privileges check in release_agent writes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 17, 2022 at 05:11:28PM +0100, Michal Koutný wrote:
> The idea is to check: a) the owning user_ns of cgroup_ns, b)
> capabilities in init_user_ns.
> 
> The commit 24f600856418 ("cgroup-v1: Require capabilities to set
> release_agent") got this wrong in the write handler of release_agent
> since it checked user_ns of the opener (may be different from the owning
> user_ns of cgroup_ns).
> Secondly, to avoid possibly confused deputy, the capability of the
> opener must be checked.
> 
> Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent")
> Cc: stable@xxxxxxxxxxxxxxx
> Link: https://lore.kernel.org/stable/20220216121142.GB30035@xxxxxxxxxxxxxxxxx/
> Signed-off-by: Michal Koutný <mkoutny@xxxxxxxx>

Applied to cgroup/for-5.17-fixes.

Thanks.

-- 
tejun



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]     [Monitors]

  Powered by Linux