[CRIU] [PATCH 1/5] restore: don't restore task with uid==0, if client's uid!=0
Andrew Vagin
avagin at parallels.com
Mon Sep 30 06:47:03 PDT 2013
On Mon, Sep 30, 2013 at 03:06:17PM +0400, Ruslan Kuprieiev wrote:
> Signed-off-by: Ruslan Kuprieiev <kupruser at gmail.com>
> ---
> diff --git a/cr-restore.c b/cr-restore.c
> index 632b8da..86ea666 100644
> --- a/cr-restore.c
> +++ b/cr-restore.c
> @@ -63,6 +63,7 @@
> #include "vdso.h"
> #include "stats.h"
> #include "tun.h"
> +#include "cr-service.h"
>
> #include "parasite-syscall.h"
>
> @@ -1907,6 +1908,16 @@ static inline int verify_cap_size(CredsEntry *ce)
> (ce->n_cap_prm == CR_CAP_SIZE) && (ce->n_cap_bnd == CR_CAP_SIZE));
> }
>
> +static int check_uid(int uid)
> +{
> + if (cr_service_client) {
> + if (cr_service_client->uid != 0 && uid == 0)
I don't understand what does that mean. Could you explain?
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> static int prepare_creds(int pid, struct task_restore_core_args *args)
> {
> int fd, ret;
> @@ -1939,6 +1950,11 @@ static int prepare_creds(int pid, struct task_restore_core_args *args)
> return -1;
> }
>
> + if (check_uid(ce->uid) == -1) {
> + pr_perror("Client has no permissions to restore task");
> + return -1;
> + }
> +
> args->creds = *ce;
> args->creds.cap_inh = args->cap_inh;
> memcpy(args->cap_inh, ce->cap_inh, sizeof(args->cap_inh));
>
>
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
More information about the CRIU
mailing list