[Devel] [RFC] [PATCH 4/8] user namespace: enforce CAP_NS_OVERRIDE for cross-namespace kill
Serge E. Hallyn
serue at us.ibm.com
Fri Dec 7 11:14:26 PST 2007
>From 62e6efe435a24f430e28f2398f374cef197b4964 Mon Sep 17 00:00:00 2001
From: sergeh at us.ibm.com <sergeh at us.ibm.com>
Date: Thu, 29 Nov 2007 08:18:16 -0800
Subject: [RFC] [PATCH 4/8] user namespace: enforce CAP_NS_OVERRIDE for cross-namespace kill
Require CAP_NS_OVERRIDE to 'kill' across user namespaces.
Signed-off-by: Serge Hallyn <serue at us.ibm.com>
---
kernel/signal.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/kernel/signal.c b/kernel/signal.c
index 787521e..a06dcc2 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -534,6 +534,11 @@ static int check_kill_permission(int sig, struct siginfo *info,
error = audit_signal_info(sig, t); /* Let audit system see the signal */
if (error)
return error;
+
+ if (current->nsproxy->user_ns != t->nsproxy->user_ns
+ && !(capable(CAP_KILL) && capable(CAP_NS_OVERRIDE)))
+ return -EPERM;
+
error = -EPERM;
if (((sig != SIGCONT) ||
(task_session_nr(current) != task_session_nr(t)))
--
1.5.1
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list