Quoting Tetsuo Handa (penguin-kernel@xxxxxxxxxxxxxxxxxxx): > Eric W. Beiderman wrote: > > Start distinguishing between internal kernel uids and gids and > > values that userspace can use. This is done by introducing two > > new types: kuid_t and kgid_t. These types and their associated > > functions are infrastructure are declared in the new header > > uidgid.h. > > I have a question regarding security/tomoyo/ code. > TOMOYO is currently doing > > static bool tomoyo_manager(void) > { > struct tomoyo_manager *ptr; > const char *exe; > const struct task_struct *task = current; > const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; > bool found = false; > > if (!tomoyo_policy_loaded) > return true; > if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) > return false; > (...snipped...) > } > > in order to prevent non-root users from modifying policy configuration. > Even after introducing userns, I want to prevent root user owned by > non-root users from modifying policy configuration. > > So, what does task->cred->uid in a userns mean? UID in current userns? > Is yes, I think TOMOYO needs some change. task->cred->uid is a kuid_t. But Eric's patchset already does the trivial fixup needed by this code :) You're all set. -serge -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html