Quoting Eric W. Beiderman (ebiederm@xxxxxxxxxxxx):
> From: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
>
> Update the permission checks to use the new uid_eq and gid_eq helpers
> and remove the now unnecessary user_ns equality comparison.
>
> Signed-off-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> ---
> kernel/ptrace.c | 13 ++++++-------
> kernel/signal.c | 15 ++++++---------
> kernel/sys.c | 18 ++++++++----------
> 3 files changed, 20 insertions(+), 26 deletions(-)
>
> diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> index 24e0a5a..a232bb5 100644
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -198,13 +198,12 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
> return 0;
> rcu_read_lock();
> tcred = __task_cred(task);
> - if (cred->user_ns == tcred->user_ns &&
> - (cred->uid == tcred->euid &&
> - cred->uid == tcred->suid &&
> - cred->uid == tcred->uid &&
> - cred->gid == tcred->egid &&
> - cred->gid == tcred->sgid &&
> - cred->gid == tcred->gid))
> + if (uid_eq(cred->uid, tcred->euid) &&
> + uid_eq(cred->uid, tcred->suid) &&
> + uid_eq(cred->uid, tcred->uid) &&
> + gid_eq(cred->gid, tcred->egid) &&
> + gid_eq(cred->gid, tcred->sgid) &&
> + gid_eq(cred->gid, tcred->gid))
> goto ok;
> if (ptrace_has_cap(tcred->user_ns, mode))
> goto ok;
> diff --git a/kernel/signal.c b/kernel/signal.c
> index d630327..9797939 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -767,11 +767,10 @@ static int kill_ok_by_cred(struct task_struct *t)
> const struct cred *cred = current_cred();
> const struct cred *tcred = __task_cred(t);
>
> - if (cred->user_ns == tcred->user_ns &&
> - (cred->euid == tcred->suid ||
> - cred->euid == tcred->uid ||
> - cred->uid == tcred->suid ||
> - cred->uid == tcred->uid))
> + if (uid_eq(cred->euid, tcred->suid) ||
> + uid_eq(cred->euid, tcred->uid) ||
> + uid_eq(cred->uid, tcred->suid) ||
> + uid_eq(cred->uid, tcred->uid))
> return 1;
>
> if (ns_capable(tcred->user_ns, CAP_KILL))
> @@ -1389,10 +1388,8 @@ static int kill_as_cred_perm(const struct cred *cred,
> struct task_struct *target)
> {
> const struct cred *pcred = __task_cred(target);
> - if (cred->user_ns != pcred->user_ns)
> - return 0;
> - if (cred->euid != pcred->suid && cred->euid != pcred->uid &&
> - cred->uid != pcred->suid && cred->uid != pcred->uid)
> + if (uid_eq(cred->euid, pcred->suid) && uid_eq(cred->euid, pcred->uid) &&
These should be !uid_eq() right?
> + uid_eq(cred->uid, pcred->suid) && uid_eq(cred->uid, pcred->uid))
> return 0;
> return 1;
> }
> diff --git a/kernel/sys.c b/kernel/sys.c
> index aff09f2..f484077 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -131,9 +131,8 @@ static bool set_one_prio_perm(struct task_struct *p)
> {
> const struct cred *cred = current_cred(), *pcred = __task_cred(p);
>
> - if (pcred->user_ns == cred->user_ns &&
> - (pcred->uid == cred->euid ||
> - pcred->euid == cred->euid))
> + if (uid_eq(pcred->uid, cred->euid) ||
> + uid_eq(pcred->euid, cred->euid))
> return true;
> if (ns_capable(pcred->user_ns, CAP_SYS_NICE))
> return true;
> @@ -1582,13 +1581,12 @@ static int check_prlimit_permission(struct task_struct *task)
> return 0;
>
> tcred = __task_cred(task);
> - if (cred->user_ns == tcred->user_ns &&
> - (cred->uid == tcred->euid &&
> - cred->uid == tcred->suid &&
> - cred->uid == tcred->uid &&
> - cred->gid == tcred->egid &&
> - cred->gid == tcred->sgid &&
> - cred->gid == tcred->gid))
> + if (uid_eq(cred->uid, tcred->euid) &&
> + uid_eq(cred->uid, tcred->suid) &&
> + uid_eq(cred->uid, tcred->uid) &&
> + gid_eq(cred->gid, tcred->egid) &&
> + gid_eq(cred->gid, tcred->sgid) &&
> + gid_eq(cred->gid, tcred->gid))
> return 0;
> if (ns_capable(tcred->user_ns, CAP_SYS_RESOURCE))
> return 0;
> --
> 1.7.2.5
>
> _______________________________________________
> Containers mailing list
> Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
> https://lists.linuxfoundation.org/mailman/listinfo/containers
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
