[Devel] prctl: reduce requirements to exe link change

Submitted by Stanislav Kinsburskiy on July 4, 2017, 3:03 p.m.

Details

Message ID 20170704150332.24820.61109.stgit@localhost.localdomain
State New
Series "prctl: reduce requirements to exe link change"
Headers show

Commit Message

Stanislav Kinsburskiy July 4, 2017, 3:03 p.m.
Do not request for CAP_SYS_RESOURCE anymore to change exe link.
This is needed to allow spfs manager to change it in unprivileged process.
In case of CRIU this restriction wasn't a problem, since CRIU is a priviledged
process and drops capabilities _after_ exe link change.
But then spfs manager is not able to do the same thing for unpriviledged
process.
We are not going to push NFS to upstream anymore. And thus can relax
requirements in our kernel.
Note: this limitation is somewhat strange, because exe link can be changed
upon execve system call.

https://jira.sw.ru/browse/PSBM-50867

Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
---
 kernel/sys.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/kernel/sys.c b/kernel/sys.c
index 9a681ae..f8f1dd9 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2329,12 +2329,12 @@  static int prctl_set_mm(int opt, unsigned long addr,
 		return prctl_set_mm_map(opt, (const void __user *)addr, arg4);
 #endif
 
-	if (!ve_capable(CAP_SYS_RESOURCE))
-		return -EPERM;
-
 	if (opt == PR_SET_MM_EXE_FILE)
 		return prctl_set_mm_exe_file(mm, (unsigned int)addr);
 
+	if (!ve_capable(CAP_SYS_RESOURCE))
+		return -EPERM;
+
 	if (opt == PR_SET_MM_AUXV)
 		return prctl_set_auxv(mm, addr, arg4);