Andrey Vagin <avagin@xxxxxxxxxx> writes:
> diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
> index 3529a03..a63adfb 100644
> --- a/kernel/pid_namespace.c
> +++ b/kernel/pid_namespace.c
> @@ -388,12 +388,38 @@ static int pidns_install(struct nsproxy *nsproxy, struct ns_common *ns)
> return 0;
> }
>
> +static struct ns_common *pidns_get_parent(struct ns_common *ns)
> +{
> + struct pid_namespace *active = task_active_pid_ns(current);
> + struct pid_namespace *pid_ns, *p;
> +
> + pid_ns = to_pid_ns(ns);
> + if (pid_ns == &init_pid_ns) {
> + if (capable(CAP_SYS_ADMIN))
> + return ERR_PTR(-ENOENT);
> + return ERR_PTR(-EPERM);
> + }
> +
> + pid_ns = p = pid_ns->parent;
> +
> + for (;;) {
> + if (p == active)
> + break;
> + if (p == &init_pid_ns)
> + return ERR_PTR(-EPERM);
> + p = p->parent;
> + }
Similarly to the user namespace issue the permission check here needs to
be:
if (!ns_capable(pid_ns->user_ns, CAP_SYS_ADMIN)
return ERR_PTR(-EPERM);
> +
> + return &get_pid_ns(pid_ns)->ns;
> +}
> +
> const struct proc_ns_operations pidns_operations = {
> .name = "pid",
> .type = CLONE_NEWPID,
> .get = pidns_get,
> .put = pidns_put,
> .install = pidns_install,
> + .get_parent = pidns_get_parent,
> };
>
Eric
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
