|
|
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
This reverts commit d2a7009f0bb03fa22ad08dd25472efa0568126b9.
J. R. Okajima explains:
"After this commit, I am afraid access(2) on NFS may not work
correctly. The scenario based upon my guess.
- access(2) overrides the credentials.
- calls inode_permission() -- ... -- generic_permission() --
ns_capable().
- while the old ns_capable() calls security_capable(current_cred()),
the new ns_capable() calls has_ns_capability(current) --
security_capable(__task_cred(t)).
current_cred() returns current->cred which is effective (overridden)
credentials, but __task_cred(current) returns current->real_cred (the
NFSD's credential). And the overridden credentials by access(2) lost."
Requested-by: J. R. Okajima <hooanon05@xxxxxxxxxxx>
Acked-by: Eric Paris <eparis@xxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
---
kernel/capability.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/capability.c b/kernel/capability.c
index 74fb3b6..0b6b229 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -384,7 +384,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
BUG();
}
- if (has_ns_capability(current, ns, cap)) {
+ if (security_capable(current_cred(), ns, cap) == 0) {
current->flags |= PF_SUPERPRIV;
return true;
}
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Fedora Maintainers] [Fedora Desktop] [Fedora SELinux] [Yosemite News] [Yosemite Photos] [KDE Users] [Fedora Tools]
