On Mon, Jan 10, 2011 at 09:13:34PM +0000, Serge E. Hallyn wrote:
> + const struct cred *cred = current_cred();
> + const struct cred *tcred = __task_cred(t);
> +
> + if (cred->user->user_ns != tcred->user->user_ns) {
> + /* userids are not equivalent - either you have the
> + capability to the target user ns or you don't */
> + if (ns_capable(tcred->user->user_ns, CAP_KILL))
> + return 1;
> + return 0;
> + }
> +
> + /* same user namespace - usual credentials checks apply */
> + if ((cred->euid ^ tcred->suid) &&
> + (cred->euid ^ tcred->uid) &&
> + (cred->uid ^ tcred->suid) &&
> + (cred->uid ^ tcred->uid) &&
> + !ns_capable(tcred->user->user_ns, CAP_KILL))
> + return 0;
> +
> + return 1;
Isn't that equal to this?
if (ns_capable(tcred->user->user_ns, CAP_KILL))
return 1;
if (cred->user->user_ns == tcred->user->user_ns &&
(cred->euid == tcred->suid ||
cred->euid == tcred->uid ||
cred->uid == tcred->suid ||
cred->uid == tcred->uid))
return 1;
return 0;
I would consider this much easier to read.
Bastian
--
I'm a soldier, not a diplomat. I can only tell the truth.
-- Kirk, "Errand of Mercy", stardate 3198.9
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
