userns: Convert process event connector to handle kuids and kgids
- Only allow asking for events from the initial user and pid namespace, where we generate the events in. - Convert kuids and kgids into the initial user namespace to report them via the process event connector. Cc: David Miller <davem@davemloft.net> Acked-by: Evgeniy Polyakov <zbr@ioremap.net> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
parent
7dc05881b6
commit
9582d90196
2 changed files with 14 additions and 5 deletions
|
@ -30,6 +30,7 @@
|
||||||
#include <linux/gfp.h>
|
#include <linux/gfp.h>
|
||||||
#include <linux/ptrace.h>
|
#include <linux/ptrace.h>
|
||||||
#include <linux/atomic.h>
|
#include <linux/atomic.h>
|
||||||
|
#include <linux/pid_namespace.h>
|
||||||
|
|
||||||
#include <asm/unaligned.h>
|
#include <asm/unaligned.h>
|
||||||
|
|
||||||
|
@ -127,11 +128,11 @@ void proc_id_connector(struct task_struct *task, int which_id)
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
cred = __task_cred(task);
|
cred = __task_cred(task);
|
||||||
if (which_id == PROC_EVENT_UID) {
|
if (which_id == PROC_EVENT_UID) {
|
||||||
ev->event_data.id.r.ruid = cred->uid;
|
ev->event_data.id.r.ruid = from_kuid_munged(&init_user_ns, cred->uid);
|
||||||
ev->event_data.id.e.euid = cred->euid;
|
ev->event_data.id.e.euid = from_kuid_munged(&init_user_ns, cred->euid);
|
||||||
} else if (which_id == PROC_EVENT_GID) {
|
} else if (which_id == PROC_EVENT_GID) {
|
||||||
ev->event_data.id.r.rgid = cred->gid;
|
ev->event_data.id.r.rgid = from_kgid_munged(&init_user_ns, cred->gid);
|
||||||
ev->event_data.id.e.egid = cred->egid;
|
ev->event_data.id.e.egid = from_kgid_munged(&init_user_ns, cred->egid);
|
||||||
} else {
|
} else {
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
return;
|
return;
|
||||||
|
@ -303,6 +304,15 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
|
||||||
if (msg->len != sizeof(*mc_op))
|
if (msg->len != sizeof(*mc_op))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Events are reported with respect to the initial pid
|
||||||
|
* and user namespaces so ignore requestors from
|
||||||
|
* other namespaces.
|
||||||
|
*/
|
||||||
|
if ((current_user_ns() != &init_user_ns) ||
|
||||||
|
(task_active_pid_ns(current) != &init_pid_ns))
|
||||||
|
return;
|
||||||
|
|
||||||
mc_op = (enum proc_cn_mcast_op *)msg->data;
|
mc_op = (enum proc_cn_mcast_op *)msg->data;
|
||||||
switch (*mc_op) {
|
switch (*mc_op) {
|
||||||
case PROC_CN_MCAST_LISTEN:
|
case PROC_CN_MCAST_LISTEN:
|
||||||
|
|
|
@ -938,7 +938,6 @@ config UIDGID_CONVERTED
|
||||||
depends on QUOTACTL = n
|
depends on QUOTACTL = n
|
||||||
depends on BSD_PROCESS_ACCT = n
|
depends on BSD_PROCESS_ACCT = n
|
||||||
depends on DRM = n
|
depends on DRM = n
|
||||||
depends on PROC_EVENTS = n
|
|
||||||
|
|
||||||
# Networking
|
# Networking
|
||||||
depends on NET_9P = n
|
depends on NET_9P = n
|
||||||
|
|
Loading…
Reference in a new issue