Re: [PATCH linux-cr RFC] change sysctl and default for unprivileged use

Oren Laadan <orenl@xxxxxxxxxxxxxxx> · Mon, 01 Mar 2010 14:10:59 -0500

Ack.

And since there was no objection, I'll pull into a new development
branch, ckpt-v19-dev.

Oren

Serge E. Hallyn wrote:
> ckpt_unpriv_allowed now can be 0 meaning privilege required
> for both checkpoint and restart, 1 meaning privilege required
> only for restart, or 2 meaning both can be done unprivileged.
> Make 1 the default.
> 
> Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
> ---
>  checkpoint/sys.c |   14 ++++++++------
>  kernel/sysctl.c  |    2 +-
>  2 files changed, 9 insertions(+), 7 deletions(-)
> 
> diff --git a/checkpoint/sys.c b/checkpoint/sys.c
> index d34ff98..b605784 100644
> --- a/checkpoint/sys.c
> +++ b/checkpoint/sys.c
> @@ -24,12 +24,14 @@
>  #include <linux/deferqueue.h>
>  
>  /*
> - * ckpt_unpriv_allowed - sysctl controlled, do not allow checkpoints or
> - * restarts unless caller has CAP_SYS_ADMIN, if 0 (prevent unprivileged
> - * useres from expoitling any privilege escalation bugs). If it is 1,
> - * then regular permissions checks are intended to do the job.
> + * ckpt_unpriv_allowed - sysctl controlled.
> + *   If 0, then caller of sys_checkpoint() or sys_restart() must have
> + *	CAP_SYS_ADMIN
> + *   If 1, then only sys_restart() requires CAP_SYS_ADMIN.
> + *   If 2, then both can be called without privilege - regular permissions
> + *	checks are intended to do the job.
>   */
> -int ckpt_unpriv_allowed = 1;	/* default: allow */
> +int ckpt_unpriv_allowed = 1;	/* default: unpriv checkpoint not restart */
>  
>  /*
>   * Helpers to write(read) from(to) kernel space to(from) the checkpoint
> @@ -681,7 +683,7 @@ long do_sys_restart(pid_t pid, int fd, unsigned long flags, int logfd)
>  	if (flags & ~RESTART_USER_FLAGS)
>  		return -EINVAL;
>  
> -	if (!ckpt_unpriv_allowed && !capable(CAP_SYS_ADMIN))
> +	if (ckpt_unpriv_allowed < 2 && !capable(CAP_SYS_ADMIN))
>  		return -EPERM;
>  
>  	if (pid)
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index e476ba0..8443bb0 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -948,7 +948,7 @@ static struct ctl_table kern_table[] = {
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec_minmax,
>  		.extra1		= &zero,
> -		.extra2		= &one,
> +		.extra2		= &two,
>  	},
>  #endif
>  
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers