[PATCH 5/9] syslog_ns: make permisiion check per user namespace

From: Rui Xiang
Date: Sun Jul 28 2013 - 22:35:20 EST

Next message: Rui Xiang: "[PATCH 6/9] syslog_ns: use init syslog_ns for console action"
Previous message: Rui Xiang: "[PATCH 9/9] netfilter: use ns_printk in iptable context"
In reply to: Rui Xiang: "Re: [PATCH 9/9] netfilter: use ns_printk in iptable context"
Next in thread: Rui Xiang: "[PATCH 6/9] syslog_ns: use init syslog_ns for console action"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Use ns_capable to check capability in user ns,
instead of capable function. The user ns is the
owner of current syslog ns.

Signed-off-by: Rui Xiang <rui.xiang@xxxxxxxxxx>
---
kernel/printk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/printk.c b/kernel/printk.c
index 846fef5..c5c65a8 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -380,13 +380,13 @@ static int check_syslog_permissions(int type, bool from_file,
return 0;

if (syslog_action_restricted(type, ns)) {
- if (capable(CAP_SYSLOG))
+ if (ns_capable(ns->owner, CAP_SYSLOG))
return 0;
/*
* For historical reasons, accept CAP_SYS_ADMIN too, with
* a warning.
*/
- if (capable(CAP_SYS_ADMIN)) {
+ if (ns_capable(ns->owner, CAP_SYS_ADMIN)) {
pr_warn_once("%s (%d): Attempt to access syslog with "
"CAP_SYS_ADMIN but no CAP_SYSLOG "
"(deprecated).\n",
--
1.8.2.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rui Xiang: "[PATCH 6/9] syslog_ns: use init syslog_ns for console action"
Previous message: Rui Xiang: "[PATCH 9/9] netfilter: use ns_printk in iptable context"
In reply to: Rui Xiang: "Re: [PATCH 9/9] netfilter: use ns_printk in iptable context"
Next in thread: Rui Xiang: "[PATCH 6/9] syslog_ns: use init syslog_ns for console action"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]