Re: [RFC PATCH 1/6] set_user: Perform RLIMIT_NPROC capability check against new user credentials

From: Michal Koutný
Date: Tue Feb 15 2022 - 06:55:47 EST

Next message: Petr Mladek: "Re: [PATCH printk v1 04/13] printk: get caller_id/timestamp after migration disable"
Previous message: Ioana Ciornei: "Re: [PATCH] dpaa2-switch: fix default return of dpaa2_switch_flower_parse_mirror_key"
In reply to: Solar Designer: "Re: [RFC PATCH 1/6] set_user: Perform RLIMIT_NPROC capability check against new user credentials"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 10, 2022 at 02:14:05AM +0100, Solar Designer <solar@xxxxxxxxxxxx> wrote:
> However, I think you need to drop the negations of the return value from
> security_capable().
> security_capable() returns 0 or -EPERM, while capable() returns a
> bool, in kernel/capability.c: ns_capable_common():

Oops. Yeah, I only blindly applied replacement with a predicate for
(new) cred and overlooked this inverse semantics. Thanks for pointing
that out to me!

Nevertheless, this will likely be incorporated via Eric's series
anyway.

Michal

Next message: Petr Mladek: "Re: [PATCH printk v1 04/13] printk: get caller_id/timestamp after migration disable"
Previous message: Ioana Ciornei: "Re: [PATCH] dpaa2-switch: fix default return of dpaa2_switch_flower_parse_mirror_key"
In reply to: Solar Designer: "Re: [RFC PATCH 1/6] set_user: Perform RLIMIT_NPROC capability check against new user credentials"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]