[PATCH 02/14] allow root in container to copy namespaces

From: Serge Hallyn
Date: Tue Jul 26 2011 - 14:59:55 EST

Next message: Christoph Hellwig: "Re: [PULL REQUEST] ext3, jbd, ext2, and quota fixes for 3.1-rc1"
Previous message: Serge Hallyn: "[PATCH 08/14] af_netlink.c: make netlink_capable userns-aware"
In reply to: Serge Hallyn: "[PATCH 08/14] af_netlink.c: make netlink_capable userns-aware"
Next in thread: Eric W. Biederman: "Re: [PATCH 02/14] allow root in container to copy namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>

Othewise nested containers with user namespaces won't be possible.

It's true that user namespaces are not yet fully isolated, but for
that same reason there are far worse things that root in a child
user ns can do. Spawning a child user ns is not in itself bad.

This patch also allows setns for root in a container:
@Eric Biederman: are there gotchas in allowing setns from child
userns?

Signed-off-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>
Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
---
kernel/fork.c | 4 ++--
kernel/nsproxy.c | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index 17bf7c8..22d0cf0 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1473,8 +1473,8 @@ long do_fork(unsigned long clone_flags,
/* hopefully this check will go away when userns support is
* complete
*/
- if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
- !capable(CAP_SETGID))
+ if (!nsown_capable(CAP_SYS_ADMIN) || !nsown_capable(CAP_SETUID) ||
+ !nsown_capable(CAP_SETGID))
return -EPERM;
}

diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 9aeab4b..f50542d 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -134,7 +134,7 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk)
CLONE_NEWPID | CLONE_NEWNET)))
return 0;

- if (!capable(CAP_SYS_ADMIN)) {
+ if (!nsown_capable(CAP_SYS_ADMIN)) {
err = -EPERM;
goto out;
}
@@ -191,7 +191,7 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
CLONE_NEWNET)))
return 0;

- if (!capable(CAP_SYS_ADMIN))
+ if (!nsown_capable(CAP_SYS_ADMIN))
return -EPERM;

*new_nsp = create_new_namespaces(unshare_flags, current,
@@ -241,7 +241,7 @@ SYSCALL_DEFINE2(setns, int, fd, int, nstype)
struct file *file;
int err;

- if (!capable(CAP_SYS_ADMIN))
+ if (!nsown_capable(CAP_SYS_ADMIN))
return -EPERM;

file = proc_ns_fget(fd);
--
1.7.4.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Hellwig: "Re: [PULL REQUEST] ext3, jbd, ext2, and quota fixes for 3.1-rc1"
Previous message: Serge Hallyn: "[PATCH 08/14] af_netlink.c: make netlink_capable userns-aware"
In reply to: Serge Hallyn: "[PATCH 08/14] af_netlink.c: make netlink_capable userns-aware"
Next in thread: Eric W. Biederman: "Re: [PATCH 02/14] allow root in container to copy namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]