On Fri, Sep 02, 2011 at 07:56:27PM +0000, Serge Hallyn wrote:
> From: "Serge E. Hallyn" <serge@xxxxxxxxxx>
I was confused about this patch until I realized that you're not
simply "moving" the capability checks but "distributing" them. Then
you're showing that you'll soon change some to nsown_capable() or
ns_capable() using the strange cpp pattern in the snippet below.
At least I think that's what you intended. A commit message would
help :).
Cheers,
-Matt Helsley
>
> Signed-off-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>
> Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> ---
> ipc/namespace.c | 7 +++++++
> kernel/fork.c | 5 +++++
> kernel/nsproxy.c | 11 ++++++++---
> kernel/utsname.c | 7 +++++++
> net/core/net_namespace.c | 7 +++++++
> 5 files changed, 34 insertions(+), 3 deletions(-)
>
> diff --git a/ipc/namespace.c b/ipc/namespace.c
> index ce0a647..a0a7609 100644
> --- a/ipc/namespace.c
> +++ b/ipc/namespace.c
> @@ -163,6 +163,13 @@ static void ipcns_put(void *ns)
>
> static int ipcns_install(struct nsproxy *nsproxy, void *ns)
> {
> +#if 0
> + struct ipc_namespace *newns = ns;
> + if (!ns_capable(newns->user_ns, CAP_SYS_ADMIN))
> +#else
> + if (!capable(CAP_SYS_ADMIN))
> +#endif
> + return -1;
> /* Ditch state from the old ipc namespace */
> exit_sem(current);
> put_ipc_ns(nsproxy->ipc_ns);
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
