[Devel] [PATCH 4/4] pid: Limit cap_set_all to the current pid namespace
Eric W. Biederman
ebiederm at xmission.com
Wed Dec 12 05:56:14 PST 2007
Use find_ge_pid in cap_set_all we only consider tasks in the current
pid namespace.
This doesn't walk the task_list so on a good day in a
pid namespace it should be more scalable, more importantly
this is the same idiom used in proc and kill_pid_ns_info so it
should be reasonably maintainable.
Signed-off-by: Eric W. Biederman <ebiederm at xmission.com>
---
kernel/capability.c | 15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/kernel/capability.c b/kernel/capability.c
index 652a2c5..a11bb24 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -198,12 +198,19 @@ static inline int cap_set_all(kernel_cap_t *effective,
kernel_cap_t *inheritable,
kernel_cap_t *permitted)
{
- struct task_struct *g, *target;
+ struct pid_namespace *ns = task_active_pid_ns(current);
+ struct task_struct *target;
int ret = -EPERM;
int found = 0;
+ struct pid *pid;
+ int nr;
- do_each_thread(g, target) {
- if (target == current || is_container_init(target->group_leader))
+ nr = 0;
+ while ((pid = find_ge_pid(nr + 1, ns))) {
+ nr = pid_nr_ns(pid, ns);
+ target = pid_task(pid, PIDTYPE_PID);
+
+ if (target == current || task_tgid(target) == ns->child_reaper)
continue;
found = 1;
if (security_capset_check(target, effective, inheritable,
@@ -211,7 +218,7 @@ static inline int cap_set_all(kernel_cap_t *effective,
continue;
ret = 0;
security_capset_set(target, effective, inheritable, permitted);
- } while_each_thread(g, target);
+ }
if (!found)
ret = 0;
--
1.5.3.rc6.17.g1911
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list