[RFC][PATCH 10/20] capabilities: Update the capabilities code to handle pspaces.

Signed-off-by: Eric W. Biederman <[email protected]>


---

 kernel/capability.c |   56 +++++++++++++++++++++++++++++++--------------------
 1 files changed, 34 insertions(+), 22 deletions(-)

d84edcf08e16ef0af7170b494b371493d1829ee7
diff --git a/kernel/capability.c b/kernel/capability.c
index bfa3c92..80a618b 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -12,6 +12,7 @@
 #include <linux/module.h>
 #include <linux/security.h>
 #include <linux/syscalls.h>
+#include <linux/pspace.h>
 #include <asm/uaccess.h>
 
 unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
@@ -68,7 +69,7 @@ asmlinkage long sys_capget(cap_user_head
      read_lock(&tasklist_lock); 
 
      if (pid && pid != current->pid) {
-	     target = find_task_by_pid(pid);
+	     target = find_task_by_pid(current->pspace, pid);
 	     if (!target) {
 	          ret = -ESRCH;
 	          goto out;
@@ -96,11 +97,12 @@ static inline int cap_set_pg(int pgrp, k
 			      kernel_cap_t *inheritable,
 			      kernel_cap_t *permitted)
 {
+	struct pspace *pspace = current->pspace;
 	task_t *g, *target;
 	int ret = -EPERM;
 	int found = 0;
 
-	do_each_task_pid(pgrp, PIDTYPE_PGID, g) {
+	do_each_task_pid(pspace, pgrp, PIDTYPE_PGID, g) {
 		target = g;
 		while_each_thread(g, target) {
 			if (!security_capset_check(target, effective,
@@ -113,7 +115,7 @@ static inline int cap_set_pg(int pgrp, k
 			}
 			found = 1;
 		}
-	} while_each_task_pid(pgrp, PIDTYPE_PGID, g);
+	} while_each_task_pid(pspace, pgrp, PIDTYPE_PGID, g);
 
 	if (!found)
 	     ret = 0;
@@ -121,20 +123,26 @@ static inline int cap_set_pg(int pgrp, k
 }
 
 /*
- * cap_set_all - set capabilities for all processes other than init
- * and self.  We call this holding task_capability_lock and tasklist_lock.
- */
-static inline int cap_set_all(kernel_cap_t *effective,
-			       kernel_cap_t *inheritable,
-			       kernel_cap_t *permitted)
+ * cap_set_pspace - set capabilities for all processes in pspace
+ * other than init and self.  We call this holding
+ * task_capability_lock and tasklist_lock.
+ */
+static inline int cap_set_pspace(struct pspace *pspace,
+					kernel_cap_t *effective,
+					kernel_cap_t *inheritable,
+					kernel_cap_t *permitted)
 {
      task_t *g, *target;
      int ret = -EPERM;
      int found = 0;
 
      do_each_thread(g, target) {
-             if (target == current || target->pid == 1)
-                     continue;
+	     if (target == current)
+		     continue;
+	     if (current_pspace_leader(target))
+		     continue;
+	     if (!in_pspace(pspace, target))
+		     continue;
              found = 1;
 	     if (security_capset_check(target, effective, inheritable,
 						permitted))
@@ -200,7 +208,7 @@ asmlinkage long sys_capset(cap_user_head
      read_lock(&tasklist_lock);
 
      if (pid > 0 && pid != current->pid) {
-          target = find_task_by_pid(pid);
+          target = find_task_by_pid(current->pspace, pid);
           if (!target) {
                ret = -ESRCH;
                goto out;
@@ -212,20 +220,24 @@ asmlinkage long sys_capset(cap_user_head
 
      /* having verified that the proposed changes are legal,
            we now put them into effect. */
-     if (pid < 0) {
-             if (pid == -1)  /* all procs other than current and init */
-                     ret = cap_set_all(&effective, &inheritable, &permitted);
+	if (pid < 0) {
+		struct task_struct *p;
 
-             else            /* all procs in process group */
-                     ret = cap_set_pg(-pid, &effective, &inheritable,
+		p = find_task_by_pid(current->pspace, -pid);
+		if (p && pspace_leader(p))
+			/* all procs other than current and init */
+			ret = cap_set_pspace(p->pspace, &effective, 
+						&inheritable, &permitted);
+		else            /* all procs in process group */
+			ret = cap_set_pg(-pid, &effective, &inheritable,
 		     					&permitted);
-     } else {
-	     ret = security_capset_check(target, &effective, &inheritable,
+	} else {
+		ret = security_capset_check(target, &effective, &inheritable,
 	     						&permitted);
-	     if (!ret)
-		     security_capset_set(target, &effective, &inheritable,
+		if (!ret)
+			security_capset_set(target, &effective, &inheritable,
 		     					&permitted);
-     }
+	}
 
 out:
      read_unlock(&tasklist_lock);
-- 
1.1.5.g3480

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- [RFC][PATCH 11/20] ioprio: Update ioprio to handle pspaces.
  - From: [email protected] (Eric W. Biederman)

References:
- [RFC][PATCH 0/20] Multiple instances of the process id namespace
  - From: [email protected] (Eric W. Biederman)
- [RFC][PATCH 01/20] pid: Intoduce the concept of a wid (wait id)
  - From: [email protected] (Eric W. Biederman)
- [RFC][PATCH 02/20] pspace: The parent process id of pid 1 is always 0.
  - From: [email protected] (Eric W. Biederman)
- [RFC][PATCH 03/20] pid: Introduce a generic helper to test for init.
  - From: [email protected] (Eric W. Biederman)
- [RFC][PATCH 04/20] pspace: Allow multiple instaces of the process id namespace
  - From: [email protected] (Eric W. Biederman)
- [RFC][PATCH 05/20] sched: Fixup the scheduler syscalls to deal with pspaces.
  - From: [email protected] (Eric W. Biederman)
- [RFC][PATCH 06/20] cad_pid: Fixup the cad_pid users to assume it is in the initial process id namespace.
  - From: [email protected] (Eric W. Biederman)
- [RFC][PATCH 07/20] tty: Update the tty layer to work with pspaces.
  - From: [email protected] (Eric W. Biederman)
- [RFC][PATCH 08/20] vt: Update the virtual console to handle pspaces.
  - From: [email protected] (Eric W. Biederman)
- [RFC][PATCH 09/20] ptrace: Update ptrace handle pspaces.
  - From: [email protected] (Eric W. Biederman)

Prev by Date: [RFC][PATCH 09/20] ptrace: Update ptrace handle pspaces.
Next by Date: Re: Linux drivers management
Previous by thread: [RFC][PATCH 09/20] ptrace: Update ptrace handle pspaces.
Next by thread: [RFC][PATCH 11/20] ioprio: Update ioprio to handle pspaces.
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]