]> www.infradead.org Git - users/hch/xfs.git/commitdiff
projects / users / hch / xfs.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 81abe27)
userns: Convert net/core/scm.c to use kuids and kgids
authorEric W. Biederman <ebiederm@xmission.com>
Wed, 23 May 2012 22:39:45 +0000 (16:39 -0600)
committerEric W. Biederman <ebiederm@xmission.com>
Wed, 15 Aug 2012 04:41:58 +0000 (21:41 -0700)
With the existence of kuid_t and kgid_t we can take this further
and remove the usage of struct cred altogether, ensuring we
don't get cache line misses from reference counts.   For now
however start simply and do a straight forward conversion
I can be certain is correct.

In cred_to_ucred use from_kuid_munged and from_kgid_munged
as these values are going directly to userspace and we want to use
the userspace safe values not -1 when reporting a value that does not
map.  The earlier conversion that used from_kuid was buggy in that
respect.  Oops.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
net/core/scm.c patch | blob | history
net/core/sock.c patch | blob | history

diff --git a/net/core/scm.c b/net/core/scm.c
index 8f6ccfd68ef4fb6625652f0b34f7f3fdb4b4a91e..5472ae7a0657569987eb6798cd955e8b4da85e00 100644 (file)
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -45,12 +45,17 @@
 static __inline__ int scm_check_creds(struct ucred *creds)
 {
        const struct cred *cred = current_cred();
+       kuid_t uid = make_kuid(cred->user_ns, creds->uid);
+       kgid_t gid = make_kgid(cred->user_ns, creds->gid);
+
+       if (!uid_valid(uid) || !gid_valid(gid))
+               return -EINVAL;
 
        if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) &&
-           ((creds->uid == cred->uid   || creds->uid == cred->euid ||
-             creds->uid == cred->suid) || capable(CAP_SETUID)) &&
-           ((creds->gid == cred->gid   || creds->gid == cred->egid ||
-             creds->gid == cred->sgid) || capable(CAP_SETGID))) {
+           ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
+             uid_eq(uid, cred->suid)) || capable(CAP_SETUID)) &&
+           ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
+             gid_eq(gid, cred->sgid)) || capable(CAP_SETGID))) {
               return 0;
        }
        return -EPERM;
@@ -149,6 +154,9 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
                                goto error;
                        break;
                case SCM_CREDENTIALS:
+               {
+                       kuid_t uid;
+                       kgid_t gid;
                        if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
                                goto error;
                        memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
@@ -166,22 +174,29 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
                                p->pid = pid;
                        }
 
+                       err = -EINVAL;
+                       uid = make_kuid(current_user_ns(), p->creds.uid);
+                       gid = make_kgid(current_user_ns(), p->creds.gid);
+                       if (!uid_valid(uid) || !gid_valid(gid))
+                               goto error;
+
                        if (!p->cred ||
-                           (p->cred->euid != p->creds.uid) ||
-                           (p->cred->egid != p->creds.gid)) {
+                           !uid_eq(p->cred->euid, uid) ||
+                           !gid_eq(p->cred->egid, gid)) {
                                struct cred *cred;
                                err = -ENOMEM;
                                cred = prepare_creds();
                                if (!cred)
                                        goto error;
 
-                               cred->uid = cred->euid = p->creds.uid;
-                               cred->gid = cred->egid = p->creds.gid;
+                               cred->uid = cred->euid = uid;
+                               cred->gid = cred->egid = gid;
                                if (p->cred)
                                        put_cred(p->cred);
                                p->cred = cred;
                        }
                        break;
+               }
                default:
                        goto error;
                }
diff --git a/net/core/sock.c b/net/core/sock.c
index 6b654b3ddfda2a9a03f77bc1d2a5476a2c25e9d4..9c7fe4ff30fcd28d2a96b9603f44048b2f606c1e 100644 (file)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -868,8 +868,8 @@ void cred_to_ucred(struct pid *pid, const struct cred *cred,
        if (cred) {
                struct user_namespace *current_ns = current_user_ns();
 
-               ucred->uid = from_kuid(current_ns, cred->euid);
-               ucred->gid = from_kgid(current_ns, cred->egid);
+               ucred->uid = from_kuid_munged(current_ns, cred->euid);
+               ucred->gid = from_kgid_munged(current_ns, cred->egid);
        }
 }
 EXPORT_SYMBOL_GPL(cred_to_ucred);
Unnamed repository; edit this file 'description' to name the repository.