[CRIU] [PATCH] security: check additional groups,v4
Pavel Emelyanov
xemul at parallels.com
Wed Jul 9 07:32:23 PDT 2014
On 07/09/2014 06:28 PM, Ruslan Kuprieiev wrote:
>>>> +static bool check_gids(unsigned int rid, unsigned int eid, unsigned int sid)
>>>> +{
>>>> + if (cr_gid == 0)
>>>> + return true;
>>>> +
>>>> + if (!(contains(cr_groups, cr_ngroups, rid) &&
>>>> + contains(cr_groups, cr_ngroups, eid) &&
>>>> + contains(cr_groups, cr_ngroups, sid))) {
>> I still worry about cr_gid is not checked against rid, eid and sid. Are
>> you 100% sure that cr_groups will include one? Can we put the check here
>> for it being true?
>
> Well, non-root cant get gid of group, that he is not present in.
> getgrouplist reads /etc/group and gets _all_ groups of the user.
> So, i'm quite sure.
> Stiil, I can excessively check cr_gid agains rid, eid and sid and
> set BUG_ON() if something wrong.
> Ok?
Good.
More information about the CRIU
mailing list