* [v2 0/2] test capability for remote task
@ 2017-01-12 8:52 Jike Song
2017-01-12 8:52 ` [v2 1/2] capability: export has_capability Jike Song
2017-01-12 8:52 ` [v2 2/2] vfio iommu type1: fix the testing of capability for remote task Jike Song
0 siblings, 2 replies; 6+ messages in thread
From: Jike Song @ 2017-01-12 8:52 UTC (permalink / raw)
To: alex.williamson, serge
Cc: kwankhede, kraxel, linux-security-module, kvm, linux-kernel, Jike Song
Sometimes vfio iommu type1 needs to pin memory for a remote task other
than current, thereby needs to test the CAP_IPC_LOCK capability for
that task.
The proper routine for this purpose is has_capability(), but it is
not yet exported for modules. None of currently exported capability-
testing symbols allows a specified task. So here in this series
has_capability() is exported then used in the vfio iommu type1 driver.
v2: -> Add Serge's Acked-by to PATCH [1/2]
-> Remove the change in vfio_pin_pages_remote, since it's now guaranteed the 'current' process
Hi Alex,
I kept EXPORT_SYMBOL other than EXPORT_SYMBOL_GPL, since I'm still
worry about changing the type of existing exports in 'capability.c'.
I'm new to open-source fearing of violating GPL :)
Jike Song (2):
capability: export has_capability
vfio iommu type1: fix the testing of capability for remote task
drivers/vfio/vfio_iommu_type1.c | 3 +--
kernel/capability.c | 1 +
2 files changed, 2 insertions(+), 2 deletions(-)
--
1.9.3
^ permalink raw reply [flat|nested] 6+ messages in thread
* [v2 1/2] capability: export has_capability
2017-01-12 8:52 [v2 0/2] test capability for remote task Jike Song
@ 2017-01-12 8:52 ` Jike Song
2017-01-12 22:22 ` James Morris
2017-01-12 8:52 ` [v2 2/2] vfio iommu type1: fix the testing of capability for remote task Jike Song
1 sibling, 1 reply; 6+ messages in thread
From: Jike Song @ 2017-01-12 8:52 UTC (permalink / raw)
To: alex.williamson, serge
Cc: kwankhede, kraxel, linux-security-module, kvm, linux-kernel, Jike Song
has_capability() is sometimes needed by modules to test capability
for specified task other than current, so export it.
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Kirti Wankhede <kwankhede@nvidia.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Jike Song <jike.song@intel.com>
---
kernel/capability.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/capability.c b/kernel/capability.c
index a98e814..f97fe77 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -318,6 +318,7 @@ bool has_capability(struct task_struct *t, int cap)
{
return has_ns_capability(t, &init_user_ns, cap);
}
+EXPORT_SYMBOL(has_capability);
/**
* has_ns_capability_noaudit - Does a task have a capability (unaudited)
--
1.9.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [v2 2/2] vfio iommu type1: fix the testing of capability for remote task
2017-01-12 8:52 [v2 0/2] test capability for remote task Jike Song
2017-01-12 8:52 ` [v2 1/2] capability: export has_capability Jike Song
@ 2017-01-12 8:52 ` Jike Song
2017-01-12 22:22 ` James Morris
1 sibling, 1 reply; 6+ messages in thread
From: Jike Song @ 2017-01-12 8:52 UTC (permalink / raw)
To: alex.williamson, serge
Cc: kwankhede, kraxel, linux-security-module, kvm, linux-kernel, Jike Song
Before the mdev enhancement type1 iommu used capable() to test the
capability of current task; in the course of mdev development a
new requirement, testing for another task other than current, was
raised. ns_capable() was used for this purpose, however it still
tests current, the only difference is, in a specified namespace.
Fix it by using has_capability() instead, which tests the cap for
specified task in init_user_ns, the same namespace as capable().
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Kirti Wankhede <kwankhede@nvidia.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jike Song <jike.song@intel.com>
---
drivers/vfio/vfio_iommu_type1.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 9266271..77373e5 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -495,8 +495,7 @@ static int vfio_pin_page_external(struct vfio_dma *dma, unsigned long vaddr,
unsigned long *pfn_base, bool do_accounting)
{
unsigned long limit;
- bool lock_cap = ns_capable(task_active_pid_ns(dma->task)->user_ns,
- CAP_IPC_LOCK);
+ bool lock_cap = has_capability(dma->task, CAP_IPC_LOCK);
struct mm_struct *mm;
int ret;
bool rsvd;
--
1.9.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [v2 1/2] capability: export has_capability
2017-01-12 8:52 ` [v2 1/2] capability: export has_capability Jike Song
@ 2017-01-12 22:22 ` James Morris
0 siblings, 0 replies; 6+ messages in thread
From: James Morris @ 2017-01-12 22:22 UTC (permalink / raw)
To: Jike Song
Cc: alex.williamson, serge, kwankhede, kraxel, linux-security-module,
kvm, linux-kernel
On Thu, 12 Jan 2017, Jike Song wrote:
> has_capability() is sometimes needed by modules to test capability
> for specified task other than current, so export it.
>
> Cc: Alex Williamson <alex.williamson@redhat.com>
> Cc: Kirti Wankhede <kwankhede@nvidia.com>
> Acked-by: Serge Hallyn <serge@hallyn.com>
> Signed-off-by: Jike Song <jike.song@intel.com>
Acked-by: James Morris <james.l.morris@oracle.com>
> ---
> kernel/capability.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/kernel/capability.c b/kernel/capability.c
> index a98e814..f97fe77 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -318,6 +318,7 @@ bool has_capability(struct task_struct *t, int cap)
> {
> return has_ns_capability(t, &init_user_ns, cap);
> }
> +EXPORT_SYMBOL(has_capability);
>
> /**
> * has_ns_capability_noaudit - Does a task have a capability (unaudited)
>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [v2 2/2] vfio iommu type1: fix the testing of capability for remote task
2017-01-12 8:52 ` [v2 2/2] vfio iommu type1: fix the testing of capability for remote task Jike Song
@ 2017-01-12 22:22 ` James Morris
2017-01-13 6:52 ` Kirti Wankhede
0 siblings, 1 reply; 6+ messages in thread
From: James Morris @ 2017-01-12 22:22 UTC (permalink / raw)
To: Jike Song
Cc: alex.williamson, serge, kwankhede, kraxel, linux-security-module,
kvm, linux-kernel
On Thu, 12 Jan 2017, Jike Song wrote:
> Before the mdev enhancement type1 iommu used capable() to test the
> capability of current task; in the course of mdev development a
> new requirement, testing for another task other than current, was
> raised. ns_capable() was used for this purpose, however it still
> tests current, the only difference is, in a specified namespace.
>
> Fix it by using has_capability() instead, which tests the cap for
> specified task in init_user_ns, the same namespace as capable().
>
> Cc: Alex Williamson <alex.williamson@redhat.com>
> Cc: Kirti Wankhede <kwankhede@nvidia.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Jike Song <jike.song@intel.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
> ---
> drivers/vfio/vfio_iommu_type1.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index 9266271..77373e5 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -495,8 +495,7 @@ static int vfio_pin_page_external(struct vfio_dma *dma, unsigned long vaddr,
> unsigned long *pfn_base, bool do_accounting)
> {
> unsigned long limit;
> - bool lock_cap = ns_capable(task_active_pid_ns(dma->task)->user_ns,
> - CAP_IPC_LOCK);
> + bool lock_cap = has_capability(dma->task, CAP_IPC_LOCK);
> struct mm_struct *mm;
> int ret;
> bool rsvd;
>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [v2 2/2] vfio iommu type1: fix the testing of capability for remote task
2017-01-12 22:22 ` James Morris
@ 2017-01-13 6:52 ` Kirti Wankhede
0 siblings, 0 replies; 6+ messages in thread
From: Kirti Wankhede @ 2017-01-13 6:52 UTC (permalink / raw)
To: James Morris, Jike Song
Cc: alex.williamson, serge, kraxel, linux-security-module, kvm, linux-kernel
Looks good to me
Reviewed by: Kirti Wankhede <kwankhede@nvidia.com>
On 1/13/2017 3:52 AM, James Morris wrote:
> On Thu, 12 Jan 2017, Jike Song wrote:
>
>> Before the mdev enhancement type1 iommu used capable() to test the
>> capability of current task; in the course of mdev development a
>> new requirement, testing for another task other than current, was
>> raised. ns_capable() was used for this purpose, however it still
>> tests current, the only difference is, in a specified namespace.
>>
>> Fix it by using has_capability() instead, which tests the cap for
>> specified task in init_user_ns, the same namespace as capable().
>>
>> Cc: Alex Williamson <alex.williamson@redhat.com>
>> Cc: Kirti Wankhede <kwankhede@nvidia.com>
>> Cc: Gerd Hoffmann <kraxel@redhat.com>
>> Signed-off-by: Jike Song <jike.song@intel.com>
>
>
> Reviewed-by: James Morris <james.l.morris@oracle.com>
>
>> ---
>> drivers/vfio/vfio_iommu_type1.c | 3 +--
>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
>> index 9266271..77373e5 100644
>> --- a/drivers/vfio/vfio_iommu_type1.c
>> +++ b/drivers/vfio/vfio_iommu_type1.c
>> @@ -495,8 +495,7 @@ static int vfio_pin_page_external(struct vfio_dma *dma, unsigned long vaddr,
>> unsigned long *pfn_base, bool do_accounting)
>> {
>> unsigned long limit;
>> - bool lock_cap = ns_capable(task_active_pid_ns(dma->task)->user_ns,
>> - CAP_IPC_LOCK);
>> + bool lock_cap = has_capability(dma->task, CAP_IPC_LOCK);
>> struct mm_struct *mm;
>> int ret;
>> bool rsvd;
>>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-01-13 6:52 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-12 8:52 [v2 0/2] test capability for remote task Jike Song
2017-01-12 8:52 ` [v2 1/2] capability: export has_capability Jike Song
2017-01-12 22:22 ` James Morris
2017-01-12 8:52 ` [v2 2/2] vfio iommu type1: fix the testing of capability for remote task Jike Song
2017-01-12 22:22 ` James Morris
2017-01-13 6:52 ` Kirti Wankhede
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).