Hey Eric,
I ported a subset of your nsfd-v5 patchset to current git (took no
tweaking at all) and tested the received values of SCM_CREDENTIALS
ancillary msgs. You'd asked me if it looked right before and I said
it did, but in fact there is a little bug, fixed by the below patch.
thanks,
-serge
>From c99daef4d7927bf002b493039c86e3de70d7b8b1 Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <serue@xxxxxxxxxx>
Date: Fri, 7 May 2010 17:35:50 -0400
Subject: [PATCH 1/1] cred_to_ucred: use the creator of the right namespace
If cred->creator->user_ns == current->user_ns, then it is the
cred->creator>uid, not the current->user_ns->creator->uid which
we are interested in.
Tested with SCM_CREDENTIALS test program. Without this patch,
if uid 1001 clones a task with clone(CLONE_NEWUSER), which
then does setresuid(25,25,25) and sends a SCM_CREDENTIALS msg
back to the parent, then the parent gets uid 0 and gid overflowgid.
The reason is that we were returning the uid of the creator of
the *parent*'s userns.
With this patch, the uid, gid, and pid are all correct.
Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
---
net/core/sock.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index b5b5929..d3e2077 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -753,9 +753,10 @@ void cred_to_ucred(struct pid *pid, const struct cred *cred,
/* Is cred in a child user namespace */
tmp = cred_ns;
do {
+ struct user_namespace *p = tmp;
tmp = tmp->creator->user_ns;
if (tmp == current_ns) {
- ucred->uid = tmp->creator->uid;
+ ucred->uid = p->creator->uid;
ucred->gid = overflowgid;
return;
}
--
1.7.0.4
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
