On Fri, Jan 14, 2011 at 03:46:09PM +0100, Bastian Blank wrote: > On Tue, Jan 11, 2011 at 06:44:39AM +0000, Serge E. Hallyn wrote: > > diff --git a/kernel/ptrace.c b/kernel/ptrace.c > > index 99bbaa3..ec7605d 100644 > > --- a/kernel/ptrace.c > > +++ b/kernel/ptrace.c > > @@ -134,21 +134,24 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) > > return 0; > > rcu_read_lock(); > > tcred = __task_cred(task); > > - if ((cred->uid != tcred->euid || > > - cred->uid != tcred->suid || > > - cred->uid != tcred->uid || > > - cred->gid != tcred->egid || > > - cred->gid != tcred->sgid || > > - cred->gid != tcred->gid) && > > - !capable(CAP_SYS_PTRACE)) { > > - rcu_read_unlock(); > > - return -EPERM; > > - } > > + if (cred->user->user_ns == tcred->user->user_ns && > > + (cred->uid == tcred->euid && > > + cred->uid == tcred->suid && > > + cred->uid == tcred->uid && > > + cred->gid == tcred->egid && > > + cred->gid == tcred->sgid && > > + cred->gid == tcred->gid)) > > + goto ok; > > + if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)) > > + goto ok; > > + rcu_read_unlock(); > > + return -EPERM; > > +ok: > > This is wrong. Whoops, it _is_ right. However the nested parenthes is unnecessary and can lead to other conclusions. Bastian -- Lots of people drink from the wrong bottle sometimes. -- Edith Keeler, "The City on the Edge of Forever", stardate unknown _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers