[CRIU] [PATCH 1/5] restore: don't restore task with uid==0, if client's uid!=0
Ruslan Kuprieiev
kupruser at gmail.com
Mon Sep 30 04:06:17 PDT 2013
Signed-off-by: Ruslan Kuprieiev <kupruser at gmail.com>
-------------- next part --------------
---
diff --git a/cr-restore.c b/cr-restore.c
index 632b8da..86ea666 100644
--- a/cr-restore.c
+++ b/cr-restore.c
@@ -63,6 +63,7 @@
#include "vdso.h"
#include "stats.h"
#include "tun.h"
+#include "cr-service.h"
#include "parasite-syscall.h"
@@ -1907,6 +1908,16 @@ static inline int verify_cap_size(CredsEntry *ce)
(ce->n_cap_prm == CR_CAP_SIZE) && (ce->n_cap_bnd == CR_CAP_SIZE));
}
+static int check_uid(int uid)
+{
+ if (cr_service_client) {
+ if (cr_service_client->uid != 0 && uid == 0)
+ return -1;
+ }
+
+ return 0;
+}
+
static int prepare_creds(int pid, struct task_restore_core_args *args)
{
int fd, ret;
@@ -1939,6 +1950,11 @@ static int prepare_creds(int pid, struct task_restore_core_args *args)
return -1;
}
+ if (check_uid(ce->uid) == -1) {
+ pr_perror("Client has no permissions to restore task");
+ return -1;
+ }
+
args->creds = *ce;
args->creds.cap_inh = args->cap_inh;
memcpy(args->cap_inh, ce->cap_inh, sizeof(args->cap_inh));
More information about the CRIU
mailing list