Re: [PATCH 13/43] userns: Add kuid_t and kgid_t and associated infrastructure in uidgid.h

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Tetsuo Handa (penguin-kernel@xxxxxxxxxxxxxxxxxxx):
> Eric W. Beiderman wrote:
> > Start distinguishing between internal kernel uids and gids and
> > values that userspace can use.  This is done by introducing two
> > new types: kuid_t and kgid_t.  These types and their associated
> > functions are infrastructure are declared in the new header
> > uidgid.h.
> 
> I have a question regarding security/tomoyo/ code.
> TOMOYO is currently doing
> 
> static bool tomoyo_manager(void)
> {
> 	struct tomoyo_manager *ptr;
> 	const char *exe;
> 	const struct task_struct *task = current;
> 	const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
> 	bool found = false;
> 
> 	if (!tomoyo_policy_loaded)
> 		return true;
> 	if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
> 		return false;
> (...snipped...)
> }
> 
> in order to prevent non-root users from modifying policy configuration.
> Even after introducing userns, I want to prevent root user owned by
> non-root users from modifying policy configuration.
> 
> So, what does task->cred->uid in a userns mean? UID in current userns?
> Is yes, I think TOMOYO needs some change.

task->cred->uid is a kuid_t.  But Eric's patchset already does the trivial
fixup needed by this code :)  You're all set.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux