userns: user namespaces: convert several capable() calls
CAP_IPC_OWNER and CAP_IPC_LOCK can be checked against current_user_ns(), because the resource comes from current's own ipc namespace. setuid/setgid are to uids in own namespace, so again checks can be against current_user_ns(). Changelog: Jan 11: Use task_ns_capable() in place of sched_capable(). Jan 11: Use nsown_capable() as suggested by Bastian Blank. Jan 11: Clarify (hopefully) some logic in futex and sched.c Feb 15: use ns_capable for ipc, not nsown_capable Feb 23: let copy_ipcs handle setting ipc_ns->user_ns Feb 23: pass ns down rather than taking it from current [akpm@linux-foundation.org: coding-style fixes] Signed-off-by:Serge E. Hallyn <serge.hallyn@canonical.com> Acked-by:
"Eric W. Biederman" <ebiederm@xmission.com> Acked-by:
Daniel Lezcano <daniel.lezcano@free.fr> Acked-by:
David Howells <dhowells@redhat.com> Cc: James Morris <jmorris@namei.org> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
Showing
- include/linux/ipc_namespace.h 4 additions, 3 deletionsinclude/linux/ipc_namespace.h
- ipc/msg.c 4 additions, 4 deletionsipc/msg.c
- ipc/namespace.c 8 additions, 5 deletionsipc/namespace.c
- ipc/sem.c 6 additions, 4 deletionsipc/sem.c
- ipc/shm.c 5 additions, 4 deletionsipc/shm.c
- ipc/util.c 16 additions, 10 deletionsipc/util.c
- ipc/util.h 3 additions, 2 deletionsipc/util.h
- kernel/futex.c 10 additions, 1 deletionkernel/futex.c
- kernel/futex_compat.c 10 additions, 1 deletionkernel/futex_compat.c
- kernel/groups.c 1 addition, 1 deletionkernel/groups.c
- kernel/nsproxy.c 1 addition, 6 deletionskernel/nsproxy.c
- kernel/sched.c 6 additions, 3 deletionskernel/sched.c
- kernel/uid16.c 1 addition, 1 deletionkernel/uid16.c
Loading
Please register or sign in to comment