Re: [PATCH] proc: use ns_capable instead of capable for timerslack_ns

From: Benjamin Gordon
Date: Tue Oct 30 2018 - 12:40:35 EST

Next message: Jens Axboe: "Re: [PATCH 11/14] irq: add support for allocating (and affinitizing) sets of IRQs"
Previous message: Oleg Nesterov: "Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace"
In reply to: Eric W. Biederman: "Re: [PATCH] proc: use ns_capable instead of capable for timerslack_ns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 25, 2018 at 01:56:27PM -0500, Eric W. Biederman wrote:
> > Access to timerslack_ns is controlled by a process having CAP_SYS_NICE
> > in its effective capability set, but the current check looks in the root
> > namespace instead of the process' user namespace. Since a process is
> > allowed to do other activities controlled by CAP_SYS_NICE inside a
> > namespace, it should also be able to adjust timerslack_ns.
>
> The goal seems legitimate. However the permission checks look wrong.
>
> In particular the choice of user namespace should be
> "p->cred->user_ns". This will limit this to tasks that have
> CAP_SYS_NICE in the same namespace as the task that is being modified.
>
> Testing file->f_cred->user_ns it is testing whoever opened the file and
> that could be anyone.

Thanks, that seems like the right answer here. I'll send a v2 to fix
it.

Thanks,
Benjamin

Next message: Jens Axboe: "Re: [PATCH 11/14] irq: add support for allocating (and affinitizing) sets of IRQs"
Previous message: Oleg Nesterov: "Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace"
In reply to: Eric W. Biederman: "Re: [PATCH] proc: use ns_capable instead of capable for timerslack_ns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]