From patchwork Tue Jul 26 18:58:25 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Serge E. Hallyn" X-Patchwork-Id: 106920 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A776AB6F83 for ; Wed, 27 Jul 2011 05:07:10 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753467Ab1GZTG6 (ORCPT ); Tue, 26 Jul 2011 15:06:58 -0400 Received: from 50-56-35-84.static.cloud-ips.com ([50.56.35.84]:50595 "EHLO mail" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752506Ab1GZTGl (ORCPT ); Tue, 26 Jul 2011 15:06:41 -0400 Received: by mail (Postfix, from userid 1000) id 69E65100264; Tue, 26 Jul 2011 18:58:46 +0000 (UTC) From: Serge Hallyn To: linux-kernel@vger.kernel.org Cc: dhowells@redhat.com, ebiederm@xmission.com, containers@lists.linux-foundation.org, netdev@vger.kernel.org, akpm@osdl.org, "Serge E. Hallyn" Subject: [PATCH 02/14] allow root in container to copy namespaces Date: Tue, 26 Jul 2011 18:58:25 +0000 Message-Id: <1311706717-7398-3-git-send-email-serge@hallyn.com> X-Mailer: git-send-email 1.7.0.4 In-Reply-To: <1311706717-7398-1-git-send-email-serge@hallyn.com> References: <1311706717-7398-1-git-send-email-serge@hallyn.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Serge E. Hallyn Othewise nested containers with user namespaces won't be possible. It's true that user namespaces are not yet fully isolated, but for that same reason there are far worse things that root in a child user ns can do. Spawning a child user ns is not in itself bad. This patch also allows setns for root in a container: @Eric Biederman: are there gotchas in allowing setns from child userns? Signed-off-by: Serge E. Hallyn Cc: Eric W. Biederman --- kernel/fork.c | 4 ++-- kernel/nsproxy.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index 17bf7c8..22d0cf0 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1473,8 +1473,8 @@ long do_fork(unsigned long clone_flags, /* hopefully this check will go away when userns support is * complete */ - if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) || - !capable(CAP_SETGID)) + if (!nsown_capable(CAP_SYS_ADMIN) || !nsown_capable(CAP_SETUID) || + !nsown_capable(CAP_SETGID)) return -EPERM; } diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index 9aeab4b..f50542d 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -134,7 +134,7 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk) CLONE_NEWPID | CLONE_NEWNET))) return 0; - if (!capable(CAP_SYS_ADMIN)) { + if (!nsown_capable(CAP_SYS_ADMIN)) { err = -EPERM; goto out; } @@ -191,7 +191,7 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags, CLONE_NEWNET))) return 0; - if (!capable(CAP_SYS_ADMIN)) + if (!nsown_capable(CAP_SYS_ADMIN)) return -EPERM; *new_nsp = create_new_namespaces(unshare_flags, current, @@ -241,7 +241,7 @@ SYSCALL_DEFINE2(setns, int, fd, int, nstype) struct file *file; int err; - if (!capable(CAP_SYS_ADMIN)) + if (!nsown_capable(CAP_SYS_ADMIN)) return -EPERM; file = proc_ns_fget(fd);