[PATCH linux-cr RFC] change sysctl and default for unprivileged use

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

ckpt_unpriv_allowed now can be 0 meaning privilege required
for both checkpoint and restart, 1 meaning privilege required
only for restart, or 2 meaning both can be done unprivileged.
Make 1 the default.

Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
---
 checkpoint/sys.c |   14 ++++++++------
 kernel/sysctl.c  |    2 +-
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/checkpoint/sys.c b/checkpoint/sys.c
index d34ff98..b605784 100644
--- a/checkpoint/sys.c
+++ b/checkpoint/sys.c
@@ -24,12 +24,14 @@
 #include <linux/deferqueue.h>
 
 /*
- * ckpt_unpriv_allowed - sysctl controlled, do not allow checkpoints or
- * restarts unless caller has CAP_SYS_ADMIN, if 0 (prevent unprivileged
- * useres from expoitling any privilege escalation bugs). If it is 1,
- * then regular permissions checks are intended to do the job.
+ * ckpt_unpriv_allowed - sysctl controlled.
+ *   If 0, then caller of sys_checkpoint() or sys_restart() must have
+ *	CAP_SYS_ADMIN
+ *   If 1, then only sys_restart() requires CAP_SYS_ADMIN.
+ *   If 2, then both can be called without privilege - regular permissions
+ *	checks are intended to do the job.
  */
-int ckpt_unpriv_allowed = 1;	/* default: allow */
+int ckpt_unpriv_allowed = 1;	/* default: unpriv checkpoint not restart */
 
 /*
  * Helpers to write(read) from(to) kernel space to(from) the checkpoint
@@ -681,7 +683,7 @@ long do_sys_restart(pid_t pid, int fd, unsigned long flags, int logfd)
 	if (flags & ~RESTART_USER_FLAGS)
 		return -EINVAL;
 
-	if (!ckpt_unpriv_allowed && !capable(CAP_SYS_ADMIN))
+	if (ckpt_unpriv_allowed < 2 && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	if (pid)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index e476ba0..8443bb0 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -948,7 +948,7 @@ static struct ctl_table kern_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec_minmax,
 		.extra1		= &zero,
-		.extra2		= &one,
+		.extra2		= &two,
 	},
 #endif
 
-- 
1.6.1

_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux