[CRIU] [PATCH 2/2] security: restrict criu with groups
Ruslan Kuprieiev
kupruser at gmail.com
Fri Jul 4 07:20:40 PDT 2014
On 04.07.2014 17:10, Pavel Emelyanov wrote:
>> @@ -62,13 +134,13 @@ static bool check_caps(u32 *inh, u32 *eff, u32 *prm)
>> bool may_dump(struct proc_status_creds *creds)
>> {
>> return check_ids(cr_uid, creds->uids[0], creds->uids[1], creds->uids[2]) &&
>> - check_ids(cr_gid, creds->gids[0], creds->gids[1], creds->gids[2]) &&
>> + check_gids(creds->gids[0], creds->gids[1], creds->gids[2], creds->groups, creds->ngroups) &&
> Getting groups on dump from proc file is not right. First of all, proc shows
> only first 32 groups. And to address that, we get groups out of parasite code,
> so they are ready some time during the dump.
Oh, I didn't know that.
Will use getgrouplist.
Thanks.
>> check_caps(creds->cap_inh, creds->cap_eff, creds->cap_prm);
>> }
>>
>> bool may_restore(CredsEntry *creds)
>> {
>> return check_ids(cr_uid, creds->uid, creds->euid, creds->suid) &&
>> - check_ids(cr_gid, creds->gid, creds->egid, creds->sgid) &&
>> + check_gids(creds->gid, creds->egid, creds->sgid, creds->groups, creds->n_groups) &&
>> check_caps(creds->cap_inh, creds->cap_eff, creds->cap_prm);
>> }
>>
More information about the CRIU
mailing list