Re: [PATCH 4/5] nsfs: add ioctl to get a parent namespace
From: Eric W. Biederman <hidden>
Date: 2016-07-24 05:07:24
Also in:
linux-fsdevel, lkml
From: Eric W. Biederman <hidden>
Date: 2016-07-24 05:07:24
Also in:
linux-fsdevel, lkml
Andrey Vagin [off-list ref] writes:
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c index 3529a03..a63adfb 100644 --- a/kernel/pid_namespace.c +++ b/kernel/pid_namespace.c@@ -388,12 +388,38 @@ static int pidns_install(struct nsproxy *nsproxy, struct ns_common *ns) return 0; } +static struct ns_common *pidns_get_parent(struct ns_common *ns) +{ + struct pid_namespace *active = task_active_pid_ns(current); + struct pid_namespace *pid_ns, *p; + + pid_ns = to_pid_ns(ns); + if (pid_ns == &init_pid_ns) { + if (capable(CAP_SYS_ADMIN)) + return ERR_PTR(-ENOENT); + return ERR_PTR(-EPERM); + } + + pid_ns = p = pid_ns->parent; + + for (;;) { + if (p == active) + break; + if (p == &init_pid_ns) + return ERR_PTR(-EPERM); + p = p->parent; + }
Similarly to the user namespace issue the permission check here needs to be: if (!ns_capable(pid_ns->user_ns, CAP_SYS_ADMIN) return ERR_PTR(-EPERM);
+
+ return &get_pid_ns(pid_ns)->ns;
+}
+
const struct proc_ns_operations pidns_operations = {
.name = "pid",
.type = CLONE_NEWPID,
.get = pidns_get,
.put = pidns_put,
.install = pidns_install,
+ .get_parent = pidns_get_parent,
};
Eric