From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: [PATCH 6/8] scm: Capture the full credentials of the scm sender. Date: Tue, 15 Jun 2010 23:47:19 -0500 Message-ID: <20100616044719.GA23863@hallyn.com> References: <20100615214541.GA22570@hallyn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: netdev-owner@vger.kernel.org To: "Eric W. Biederman" Cc: David Miller , Linux Containers , Serge Hallyn , Pavel Emelyanov , netdev@vger.kernel.org List-Id: containers.vger.kernel.org Quoting Eric W. Biederman (ebiederm@xmission.com): > "Serge E. Hallyn" writes: > > I think this hunk needs to be documented. I.e. given that scm_send() > > will call scm_set_cred() before calling __scm_send, I don't see how > > these conditions could happen? If the condition can legitimately > > happen, then given all of the pid_t vs struct pid and 'cred' vs. 'creds' > > in these two hunks, I think a comment over each would be nice. > > I think if you have the full context of __scm_send it becomes pretty obvious. > > case SCM_CREDENTIALS: > if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred))) > goto error; > memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred)); > err = scm_check_creds(&p->creds); > if (err) > goto error; > > At this point we have just copied ucred from userspace. We have done > scm_check_creds to ensure we allow the user to send the pid, uid, and > gid they have passed in. > > These tests catch the case where the user is legitimately sending > something other than their own credentials. Of course. Sorry. And I even had the context in the window next to the email... So finally, Acked-by: Serge E. Hallyn to the set, and I'm looking forward to this being in. And it should solve the nuisance of containers without private netns rebooting their hosts when both use upstart. thanks, -serge