On Tue, May 12, 2009 at 10:07:13AM -0500, Serge E. Hallyn wrote:
> do you object to this patch? The idea is to not give away any
> privilege not otherwise needed.
> --- a/checkpoint/sys.c
> +++ b/checkpoint/sys.c
> @@ -281,7 +281,7 @@ asmlinkage long sys_checkpoint(pid_t pid, int fd, unsigned long flags)
> if (flags & ~CKPT_USER_FLAGS)
> return -EINVAL;
>
> - if (!ckpt_unpriv_allowed && !capable(CAP_SYS_ADMIN))
> + if (!ckpt_unpriv_allowed && !capable(CAP_CHECKPOINT_RESTART))
> return -EPERM;
>
> if (pid == 0)
> @@ -318,7 +318,7 @@ asmlinkage long sys_restart(int crid, int fd, unsigned long flags)
> if (flags)
> return -EINVAL;
>
> - if (!ckpt_unpriv_allowed && !capable(CAP_SYS_ADMIN))
> + if (!ckpt_unpriv_allowed && !capable(CAP_CHECKPOINT_RESTART))
> return -EPERM;
>
> /* FIXME: for now, we use 'crid' as a pid */
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index 572b5a0..a593391 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -357,7 +357,9 @@ struct cpu_vfs_cap_data {
>
> #define CAP_MAC_ADMIN 33
>
> -#define CAP_LAST_CAP CAP_MAC_ADMIN
> +#define CAP_CHECKPOINT_RESTART 34
I don't know if this is really needed.
If you allow restart(2) for everyone, you can during struct cred
restoration check if, say, capabilities coming from image are more
strict than capabilities of restorer, that aux groups are a subset of
aux groups of restorer and so on.
You still need these checks, otherwise CAP_CHECKPOINT_RESTART is much
more powerful than it suggests.
I'm going to try and see how hard will it be.
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
