Re: [PATCH RFC] Introduce new security.nscapability xattr

From: Jann Horn
Date: Wed Jan 20 2016 - 07:15:44 EST


On Mon, Nov 30, 2015 at 04:43:56PM -0600, Serge E. Hallyn wrote:
> +int get_vfs_ns_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
> +{
[...]
> + /* find an applicable entry */
> + /* a global entry (uid == -1) takes precedence */
> + current_root = make_kuid(current_user_ns(), 0);
> + if (!uid_valid(current_root)) {
> + /* no root user in this namespace; no capabilities */
> + ret = -EINVAL;
> + goto out;
> + }
> +
> + for (i = 0, cap = (void *) hdr + sizeof(*hdr); i < ncaps; cap += sizeof(*cap), i++) {
> + uid_t uid = le32_to_cpu(cap->rootid);
> + if (uid == -1) {
> + nscap = cap;
> + break;
> + }
> +
> + caprootuid = make_kuid(&init_user_ns, uid);
> + if (uid_eq(caprootuid, current_root))
> + nscap = cap;
> + }

Wouldn't it be more consistent to check against the root uids of all parent
namespaces until one matches?

Attachment: signature.asc
Description: Digital signature