[CRIU] [PATCH] security: check additional groups,v4

Pavel Emelyanov xemul at parallels.com
Wed Jul 9 07:32:23 PDT 2014


On 07/09/2014 06:28 PM, Ruslan Kuprieiev wrote:

>>>> +static bool check_gids(unsigned int rid, unsigned int eid, unsigned int sid)
>>>> +{
>>>> +	if (cr_gid == 0)
>>>> +		return true;
>>>> +
>>>> +	if (!(contains(cr_groups, cr_ngroups, rid) &&
>>>> +	    contains(cr_groups, cr_ngroups, eid)  &&
>>>> +	    contains(cr_groups, cr_ngroups, sid))) {
>> I still worry about cr_gid is not checked against rid, eid and sid. Are
>> you 100% sure that cr_groups will include one? Can we put the check here
>> for it being true?
> 
> Well, non-root cant get gid of group, that he is not present in.
> getgrouplist reads /etc/group and gets _all_ groups of the user.
> So, i'm quite sure.
> Stiil, I can excessively check cr_gid agains rid, eid and sid and
> set BUG_ON() if something wrong.
> Ok?

Good.



More information about the CRIU mailing list