[Devel] [PATCH 3/5] pid: use namespaced iteration on processes while setting capability
Gowrishankar M
gowrishankar.m at linux.vnet.ibm.com
Thu Dec 18 08:42:31 PST 2008
From: Gowrishankar M <gomuthuk at linux.vnet.ibm.com>
In piece of dead code, cap_set_all() propogates through processes outside
PID namespace, as iteration is always in init PID namespace.
Below patch adjusts macro controller to use do_each_thread_in_ns() so that
only processes in current namespace are scanned
Signed-off-by: Gowrishankar M <gowrishankar.m at linux.vnet.ibm.com>
---
kernel/capability.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/capability.c b/kernel/capability.c
index 33e51e7..e3e3765 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -201,7 +201,7 @@ static inline int cap_set_all(kernel_cap_t *effective,
spin_lock(&task_capability_lock);
read_lock(&tasklist_lock);
- do_each_thread(g, target) {
+ do_each_thread_in_ns(g, target, current->nsproxy->pid_ns) {
if (target == current
|| is_container_init(target->group_leader))
continue;
--
1.5.5.1
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list