[CRIU] [PATCH] security: check_ids - return true if [se]?[ug]id is the same as task id
Ruslan Kuprieiev
kupruser at gmail.com
Mon May 19 07:17:44 PDT 2014
On 17.05.2014 12:00, Andrew Vagin wrote:
> On Fri, May 16, 2014 at 05:54:55PM +0300, Ruslan Kuprieiev wrote:
>> Currently there are typos in check_ids, so one can't pass this check,
>> unless (u/g)id == e(g/u)id == s(g/u)id == task_(g/u)id.
OMG, I mixed task and caller id's in this description!
>> Signed-off-by: Ruslan Kuprieiev <kupruser at gmail.com>
>> ---
>> security.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/security.c b/security.c
>> index d4b4230..dc90208 100644
>> --- a/security.c
>> +++ b/security.c
>> @@ -28,7 +28,7 @@ static bool check_ids(unsigned int crid, unsigned int rid,
>> unsigned int eid, uns
>> {
>> if (crid == 0)
>> return true;
>> - if (crid == rid && crid == eid && crid == sid)
>> + if (crid == rid || crid == eid || crid == sid)
> I have thought a bit more and now I am not sure about this. Could you explain why this is correct?
Hm... Yes, you are right. Well, crid == rid || crid == sid we get from the
statement, that we should be able to dump task, if we can kill it.
And crid == eid looks wrong.
>> return true;
>>
>> pr_err("UID/GID mismatch %u != (%u,%u,%u)\n", crid, rid, eid, sid);
>> --
>> 1.8.1.2
>>
>> _______________________________________________
>> CRIU mailing list
>> CRIU at openvz.org
>> https://lists.openvz.org/mailman/listinfo/criu
--
Signed-off-by: Ruslan Kuprieiev kupruser at gmail.com
More information about the CRIU
mailing list