Message ID | 201705161302.v4GD2pPv021109@finist_cl7.x64_64.work.ct |
---|---|
State | New |
Series | "prctl: Allow local CAP_SYS_ADMIN changing exe_file" |
Headers | show
Delivered-To: criupatchwork@gmail.com Received: from gmail-imap.l.google.com [64.233.162.108] by patchwork.criu.org with IMAP (fetchmail-6.3.26) for <root@localhost> (single-drop); Tue, 16 May 2017 15:05:37 +0200 (CEST) Received: by 10.100.181.142 with SMTP id r14csp1853146pjb; Tue, 16 May 2017 06:05:32 -0700 (PDT) X-Received: by 10.98.31.2 with SMTP id f2mr11582944pff.95.1494939932202; Tue, 16 May 2017 06:05:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494939932; cv=none; d=google.com; s=arc-20160816; b=SHl7dwE2KdJKVWkcSVCfWOQCGnsYaAatVTDGhRV/8eOojlBDk2DbUg/Nj20B3iRJD8 AF9IRAOXuE1gwvRBZzKiYUsWFbJs2iQHKKv1O5wkg+mUc624bEA2594/BPOY1wUD2xA6 CcYGDuTIgNcZPfvadp/roPH7tCwr3xJa6gu05sYTPhsE7GwQc8tAgC5zp9vg4di+X2Q+ gF26U9MJk0TCfN4+ioe5Ln5dZ3omxdKD2iPujmC+sasPxN5DzXKqjQvI5gg4k3Zt6tki RXuM6Jj4atNeWOFxxNBQCYywwRRKdOAq4mLvL/ObF94DIx/n9FsRUwKL72XAwHvsiARs mG8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :cc:spamdiagnosticmetadata:spamdiagnosticoutput:mime-version :in-reply-to:to:from:message-id:date:arc-authentication-results; bh=r5EW945xAPz9K3Mc+c9ayusfnqbcLC05n1WOlHhYwHc=; b=PrICa3tZC2TtO8HMsaVqkNglH20c6IpCpzah34aiPiKG2bPj8WQhVULH2ByPOk3zGq yDjzw2938T/W09QtSizf9UIBK8YOoI6x5ervERE0FZIRCdZFPGFdPLFH0kJnWVSJT46Q 2Vb1OkZDOIzYF8f96DXSfb6xWNRHLcZzL7LpONu66yl3aaGVQc59I0Fdfw55b4Tbg/XD 5stXkeBh6m0CcqzisiR8jcmkUWUq5cUwfk5j2sdGGwX4iKHl1mb2NXwTcdjo5tf9lNKj SYSyPgl1GiMFJiNBtK6qO/ulGuzq2ScThLwJEpQf+EWFRJmzUS2HtyLGYRLL+cMol4a9 TSCA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 195.214.232.140 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: <devel-bounces@openvz.org> Received: from mail.openvz.org (mail.openvz.org. [195.214.232.140]) by mx.google.com with ESMTPS id u12si13607387pgn.138.2017.05.16.06.05.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 May 2017 06:05:32 -0700 (PDT) Received-SPF: pass (google.com: domain of devel-bounces@openvz.org designates 195.214.232.140 as permitted sender) client-ip=195.214.232.140; Authentication-Results: mx.google.com; spf=pass (google.com: domain of devel-bounces@openvz.org designates 195.214.232.140 as permitted sender) smtp.mailfrom=devel-bounces@openvz.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: from mail.openvz.org (localhost [127.0.0.1]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id v4GD33jG003801; Tue, 16 May 2017 06:03:04 -0700 Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp0084.outbound.protection.outlook.com [94.245.120.84]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id v4GD32TT003798 for <devel@openvz.org>; Tue, 16 May 2017 06:03:02 -0700 Received: from DB5PR08CA0041.eurprd08.prod.outlook.com (2a01:111:e400:52c3::51) by AM4PR0801MB1489.eurprd08.prod.outlook.com (2603:10a6:200:3d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1084.16; Tue, 16 May 2017 13:02:54 +0000 Received: from HE1EUR01FT026.eop-EUR01.prod.protection.outlook.com (2a01:111:f400:7e1f::200) by DB5PR08CA0041.outlook.office365.com (2a01:111:e400:52c3::51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1101.14 via Frontend Transport; Tue, 16 May 2017 13:02:53 +0000 Authentication-Results: spf=pass (sender IP is 195.214.232.25) smtp.mailfrom=virtuozzo.com; openvz.org; dkim=none (message not signed) header.d=none; openvz.org; dmarc=pass action=none header.from=virtuozzo.com; Received-SPF: Pass (protection.outlook.com: domain of virtuozzo.com designates 195.214.232.25 as permitted sender) receiver=protection.outlook.com; client-ip=195.214.232.25; helo=relay.sw.ru; Received: from relay.sw.ru (195.214.232.25) by HE1EUR01FT026.mail.protection.outlook.com (10.152.0.158) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1075.5 via Frontend Transport; Tue, 16 May 2017 13:02:52 +0000 Received: from finist_cl7.x64_64.work.ct (msk-vpn.virtuozzo.com [195.214.232.6]) by relay.sw.ru (8.13.4/8.13.4) with ESMTP id v4GD2pO8026774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 May 2017 16:02:51 +0300 (MSK) Received: from finist_cl7.x64_64.work.ct (localhost [127.0.0.1]) by finist_cl7.x64_64.work.ct (8.14.7/8.14.7) with ESMTP id v4GD2pYY021110; Tue, 16 May 2017 17:02:51 +0400 Received: (from khorenko@localhost) by finist_cl7.x64_64.work.ct (8.14.7/8.14.7/Submit) id v4GD2pPv021109; Tue, 16 May 2017 17:02:51 +0400 Date: Tue, 16 May 2017 17:02:51 +0400 Message-ID: <201705161302.v4GD2pPv021109@finist_cl7.x64_64.work.ct> X-Authentication-Warning: finist_cl7.x64_64.work.ct: khorenko set sender to khorenko@virtuozzo.com using -f From: Konstantin Khorenko <khorenko@virtuozzo.com> To: Kirill Tkhai <ktkhai@virtuozzo.com> In-Reply-To: <149460677394.12666.5846700084460689681.stgit@localhost.localdomain> X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:195.214.232.25; IPV:CAL; SCL:-1; CTRY:RU; EFV:NLI; SFV:SKN; SFS:; DIR:INB; SFP:; SCL:-1; SRVR:AM4PR0801MB1489; H:relay.sw.ru; FPR:; SPF:None; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; HE1EUR01FT026; 1:+wS725vgMqNtURsxYuKnn5SPBH4sC8AuvET7339MX+FeeMcoAa+H3SHf4uYJvM5R2qhESqEUVwQiVGqc4EKLJ2EbyNDE/TSRWNC2AAmyDyI2t2cNh44FaC2U1/pMVnLpkDGexGcrD9F8PiGIfnw9ozQjJy9oDcCAA8YXCCROz/QL0I8pA8Zez2P4yH3AprRbLKPUkmbE5yDkb8Z/7n/q2dO9Epmy2Ez97TtVI0WZPnRh9iJs2UzviFs6c8spUnU70f73p4MQQ1QHdwNYgdOo3o56kRGE8CC0bpBkK2UveM4jf0YOh3jhpTEopRyD20zflyoK4jQfs+ZUMpIuzNR+99Wq2uQ0bUZU2QvSyS+hy7eDCjmLpBanR3Fn0ZNusOQ0PkBhakY645P9SP5Bt16yVsm4G43/W1tZm3onTxgkbvT1KNbVmV7Fx3mmJ3Wcd8eDt4KTPnFcVgL5wOayNVJXUgLe9L9Mgc5wSlxJW7IQ8j4zbnLI6KB8iwrsopZYYtXNFsLnc18QtLw8KcQj+EwM8Q== MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: da9a368b-ea55-4c8f-cb60-08d49c5bdd22 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(8251501002)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:AM4PR0801MB1489; X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 3:2qX3wb7KysxVckcbArQn3AeM8B+9T3+FT5cQ5ChKqbwSxfxr0gaHjCz1mDJmskmnvewgvZ0wirRCCvIUCqH5OsZ6vWTKkK8wNPU8AshiS6o8ajmOZXdNN4siU4mfsUH9dNKwR9ozgWe/WOCWkxRrmF8GZ9JehyDtY/cO6VDVkFLNgdrZ99Gric/QK2Q7ppPSfeFnwwconE3W4/WuBB9FjYwK9cXz/9y2X+ovrytJZ/6mN5Q/uz+X9YD9DIqDq29MhtQGokvN+ABRXke1EyFkEXR6sROt3iExLCw1q909XDaI9FrVjuC72cwHwNo+ugTeOYLcpj3OKaM8luF0BGKMFXL/KDqhg79j49AHvuD5JHgVzE7apvjz9F1pE+d0EVsoAOeFYAHQLl2RomLe/oAjoz8Yal4W2W1+quF3cZaz84ZEInHmIZaLiciZ4jUnFfn6Gx0gBbWq08YEe5944+b0lSDiMS4/Y4Y/O1RPrB+sx6cKhM8FxXvlFu8frI4FbiZ+sf/5B0ee7fC0Sfo/Xl30hg== X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 25:IHlbMCiIAgFNdqofjdYFHVcDbuYyGv4vaBEx862UuoXNaFka0Mqvkf15uZlSnNqouexPCEnLlM1acmvx6aEFUCzZMnnLHPcEno7kiZ3mYO3GUSPBn5lKQG5vJv8215p8cn5DqB+N+lVC2fVrhjvPnWUcsH9HmvPpqGFF56oMSd7fAa64+bO641H1lXb7THPvTtZ1tS9bmb3iwVshP1J7OaBcxZVs8zxSkEdxVOixYLFrsmY868mnBsXeBBpH8RyzPrzTdVJIwXAD8EGvfeJM39jt2U4VlNjiSSm8Zfp5DuNGF5cWsPeEnQ4o2V7SIL36nUuOVEU+1t1AL0q0XvpbazjiJlP/5G4k8cAgqwk2CzMacxxzxeXqjOnim/WFmfcb8/y9oIo98UVDpK9iC2tKBPpHAKxMAHNm5rUU4uz/xETYkbX0z35L/mWvI1IGq8HEeucgEdzHQlFXJYeMzANkWaPgitlD6zewrd8GPjUMVs8=; 31:u6AolBDYUef1+ZE3joCWbjQi4axV3L4vGaJg4u24JlkoqQdbmvtQcYuJ7gn8hXyF3ELKR9DXp4mEZvr69IR1VxzHnMR6/KzvCh4VjCC3s6HfBaX9aUaLUne1fbzEjhNcKhA3KYVnJndPMJseguOsqkUMsc7M1AxHVMgfjR0Iv115maKcUEGrm3EPdFVW6P/ILH5PkuPdEfyl0ycIBHKfbduU5HXkkKDHQw1LOF3x57dO3ZnGXkNge0qfr1A0RuqWe9Z7q9OsI3rVh8ISB+P5DSBtSMlqpCmMH3y9/JiD8KS6+vtxd1ks+NpdGZ52dSZI X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 20:YdFwyr3VvQQ8yDk2/e1QKc6u5Ftq42hl0cvv0Ae7BAMbqKFWc+PtECm9uQxc4jpGEO5N3A/y+yZQSewOUwvGNmVSqFEz7cClqjP4rNVrEe/kHjOtq+tvxp6W2Ar6ii/unlDNJy21hg8DhlRf409f6we3McfQjOv29XFHvqUp7uxYAr88QefTl4c5UfUN2nMPWmujP1e0uQfQdkufTnZ8gdftuHv8MECEmEO7KKDUf8G92c4n8eBJBL3jAFc9BaySvJ9qYJBABj4qAoLOcTSNZp2T+pita1rsWvOllzU0JMOUKTEQMBICytRGM/SBy+49T5k0fFpVrw1j4j/sYSmcn8c2w2azidFap+JXxyt8lmYAaYSVltdBxhMW07VF+PUj7SYjy8rX0ABgAscNdbpnVGJK3ozLiD1oZptDMvYpQPjbeV1XjxM0vaF66U0CtWVuxzeAh4vIHaS4gd1xQ72NRHYvGTLxgKeQnCGjMoSAEO+08qrauUmLoSUcbHmVHOKyNXcbS77qriZ9x4AiCOyqZw== X-Exchange-Antispam-Report-Test: UriScan:(84791874153150)(215187933766430); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(9101521199)(601004)(2401047)(13013025)(13020025)(13023025)(8121501046)(10201501046)(3002001)(93006095)(93004095); SRVR:AM4PR0801MB1489; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0801MB1489; X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 4:GKsGsPU6typa7B0SHtyJzlcFafv4MzWv6IzBEo82p7wLaljy7NzTjQ/pXajrFVkwr/eugk3+BSAgiTJ8snS11UWaJyiFIrtfMQYseH8mWp7Frec99vl2o5MfyHtu9BR2iiOANk+Y2Ewmf1uXNFwIPTUDSN99QbVKnCW4eoAV1MoZABJvga28h1zjQnmqWgR1qVHAKivQok748liw00uyCM5cqLPuGILR6UafDbTLGJQiIqJyd1GKh5pePN+mjsGk3eSvWSARZQYhFyOuziCm/lK31VKfKWx+IV6Y46Va3cZVGkfOrrgNgj2o6m1UXjWoTAmu97XjBGxGqKMyBb0lvcpRtmJteyjh920zUukQGHrRHF7c31xxEzOdWPzaaw+t74/R4Q6fNpOyQjCPbyIcUdj78q0CiRoGGTjLaTr3Y8ZOqLoFBPE4/D1tBhjMjzisClSYICLZcIEIkBt5Sw7nt+gNsJBoEn2nXadS7IwVAik3PjL1kX3Ee9LK0Pw8CbzSHzQNbl/sJKf4JqIijDJlektamfGl051tbcl2+5fuPpf3TGWasL6TLAoG9mfqdwEy; 23:AiXNC0+PhKwUyEp/LEVJm7qEaqv9sDkOZmxXeA1n5sepvQWvLRHSXd9aWinlwQIXI8GPhhS4OVP4zBE1Ph1qvc6Pl14jhamUTok5k1Lm7qoYdsmPgZHqNmRmN1OT9iMY9XACu8/tB0UbEhUCxXVs3xO3c68STznvpeR6TSabB+zXcP5P8yb8xAnPvPrkXCIV X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 6:x6w+NF9gWNUQA2MR17I/NGQvl0qfmp3a+F7KsueHz3PyxhyEEno+YAEGwOqxTiT12RAR0fyfmZ5mEKp7fX+gZKHUtlzKaO2XviNKIbIc4WWvVz/nQm56E2Fv3WvxgzywSPgcyHw2YkhrIJGcmfTZpWWKjCqkm/yZZdKKzhhBok8zTxP9n/kiBmkApXuNmq8DGRrMo0JbivhfInUZ9M7QE6+PZS646T4b1Vusvu2/mVaGIbb8bdOHDT0poiTOXKU0AUmGSXBD00nn+HDkVHd7SzMBwyU3Xo/PK/TWnD4YnAj7Jd9VeEF+2wdhUDlQFsxJWWVo6okBi7kcyag/01K6HUULLTlOh7wD69hX4FDHd363zotFI7rBxlC+v8ZYPf7vqwszO5GZUCXq0S/KmIa0U5bu1W6fsJzgFko0jjBdxubytWRR5yVltRFTLoA1cZt5; 5:jrQq6qqw4Q8ZyccL5COyYTmV/FK49XPCJclR6jtb0ZblWeKJvR6H+xWe3afDJKCygsGq42AYN3+vXZvA2Me53IQnZ8DicdhwPVi3iILjD6Eg2NoiAQypai8t42mkTL0lEllyiIUndpLAzKvYOGGSpw==; 24:cMD5W8Mjgj+bZmWeVoBSYrAUpJHbVII4f+kpEBdEF63bzleUI/XcByFmPymJZcJ0XAcYsbWgqct9U0r3lqVpE7NE40XDW0QNZF+1AqETqTQ= SpamDiagnosticOutput: 1:2 SpamDiagnosticMetadata: 2b2090aae5154f77b71484475de18b04 X-Microsoft-Exchange-Diagnostics: 1; AM4PR0801MB1489; 7:9aLyEQzvZYpRfrpArQ48SISDnUmreqot9cwQsf9dmYcinTOqy7ibUGTOPn9CGDUTWNok/hEnGetbRRs3Rt0lievKLxx88PkKeo2nJpy1oxLd5aJ87hYp2i9Rp+rOtjIaQA4acGdkThKZPvJ7+rQejMD5+z3WN9iF2F9VHt5cjAD2mfrhrdfAX6paHx69buBnJ9nheSri/gplrdD4ih16VolttGJJgK6RcwSJT3ZskqsQCU3lfAbspUGjFRCYpSKBl/SLA47OsYhzjP1X2/7sQxYy4neIYyYqJi3jBA/t66cNYS3d0V99TAVUOJ24V8YD2tbQMrb5GUmhX+K1+WRHslQFC7feRMkM8uEPnEBn2eIIGCKk+X+SUgc9SqDj6A2hKNbEEjrNdgJCqPVO6qGmQw==; 20:SThBhpo/naXQ6easVfeDdNB0fmvhvsiOlOt3BmrZPaq+UNADs5t6zExWcQDzKWhMQR1yuREqUFDYK5Ck1yu5P3xZJfkJiE5l2rioV6bSQndHJPLjSIBGBA6mwPK2Y8nzjfF41g7q25eXuRokxlLsd6hXJQa4ZsWLh6dLFNlzH5Q= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 May 2017 13:02:52.7865 (UTC) X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=0bc7f26d-0264-416e-a6fc-8352af79c58f; Ip=[195.214.232.25]; Helo=[relay.sw.ru] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB1489 X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 195.214.232.25 X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-AuthSource: HE1EUR01FT026.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossPremises-AuthAs: Anonymous X-MS-Exchange-CrossPremises-TransportTrafficType: Email X-MS-Exchange-CrossPremises-TransportTrafficSubType: X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:SKN; SKIP:0; X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent X-OrganizationHeadersPreserved: AM4PR0801MB1489.eurprd08.prod.outlook.com Cc: OpenVZ devel <devel@openvz.org> Subject: [Devel] [PATCH RHEL7 COMMIT] ms/prctl: Allow local CAP_SYS_ADMIN changing exe_file X-BeenThere: devel@openvz.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OpenVZ development <devel.openvz.org> List-Unsubscribe: <https://lists.openvz.org/mailman/options/devel>, <mailto:devel-request@openvz.org?subject=unsubscribe> List-Archive: <http://lists.openvz.org/pipermail/devel/> List-Post: <mailto:devel@openvz.org> List-Help: <mailto:devel-request@openvz.org?subject=help> List-Subscribe: <https://lists.openvz.org/mailman/listinfo/devel>, <mailto:devel-request@openvz.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: devel-bounces@openvz.org Errors-To: devel-bounces@openvz.org |
diff --git a/kernel/sys.c b/kernel/sys.c index be563d9..9a681ae 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2183,15 +2183,11 @@ static int validate_prctl_map(struct prctl_mm_map *prctl_map) /* * Finally, make sure the caller has the rights to - * change /proc/pid/exe link: only local root should + * change /proc/pid/exe link: only local sys admin should * be allowed to. */ if (prctl_map->exe_fd != (u32)-1) { - struct user_namespace *ns = current_user_ns(); - const struct cred *cred = current_cred(); - - if (!uid_eq(cred->uid, make_kuid(ns, 0)) || - !gid_eq(cred->gid, make_kgid(ns, 0))) + if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN)) goto out; }