[Devel,7/6] proc connector: user containers initial user namespace

Submitted by Stanislav Kinsburskiy on Aug. 15, 2017, 12:56 p.m.

Details

Message ID 20170815125024.8317.85199.stgit@localhost.localdomain
State New
Series "proc connector: containerize on per-net basis"
Headers show

Commit Message

Stanislav Kinsburskiy Aug. 15, 2017, 12:56 p.m.
Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
---
 drivers/connector/cn_proc.c |   17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

Patch hide | download patch | download mbox

diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
index c5bd47b..10a3e3e 100644
--- a/drivers/connector/cn_proc.c
+++ b/drivers/connector/cn_proc.c
@@ -159,6 +159,14 @@  void proc_exec_connector(struct task_struct *task)
 	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
 }
 
+static struct user_namespace *task_user(struct task_struct *task)
+{
+	struct cred *init_cred;
+
+	init_cred = task->task_ve->init_cred;
+	return init_cred ? init_cred->user_ns : &init_user_ns;
+}
+
 void proc_id_connector(struct task_struct *task, int which_id)
 {
 	struct cn_msg *msg;
@@ -167,6 +175,7 @@  void proc_id_connector(struct task_struct *task, int which_id)
 	struct timespec ts;
 	const struct cred *cred;
 	struct net *net = task_net(task);
+	struct user_namespace *user_ns = task_user(task);
 
 	if (get_listeners(net) < 1)
 		return;
@@ -180,11 +189,11 @@  void proc_id_connector(struct task_struct *task, int which_id)
 	rcu_read_lock();
 	cred = __task_cred(task);
 	if (which_id == PROC_EVENT_UID) {
-		ev->event_data.id.r.ruid = from_kuid_munged(&init_user_ns, cred->uid);
-		ev->event_data.id.e.euid = from_kuid_munged(&init_user_ns, cred->euid);
+		ev->event_data.id.r.ruid = from_kuid_munged(user_ns, cred->uid);
+		ev->event_data.id.e.euid = from_kuid_munged(user_ns, cred->euid);
 	} else if (which_id == PROC_EVENT_GID) {
-		ev->event_data.id.r.rgid = from_kgid_munged(&init_user_ns, cred->gid);
-		ev->event_data.id.e.egid = from_kgid_munged(&init_user_ns, cred->egid);
+		ev->event_data.id.r.rgid = from_kgid_munged(user_ns, cred->gid);
+		ev->event_data.id.e.egid = from_kgid_munged(user_ns, cred->egid);
 	} else {
 		rcu_read_unlock();
 		return;

Comments

Andrey Ryabinin Aug. 15, 2017, 1:55 p.m.
On 08/15/2017 03:56 PM, Stanislav Kinsburskiy wrote:
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
> ---
>  drivers/connector/cn_proc.c |   17 +++++++++++++----
>  1 file changed, 13 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
> index c5bd47b..10a3e3e 100644
> --- a/drivers/connector/cn_proc.c
> +++ b/drivers/connector/cn_proc.c
> @@ -159,6 +159,14 @@ void proc_exec_connector(struct task_struct *task)
>  	cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
>  }
>  
> +static struct user_namespace *task_user(struct task_struct *task)
> +{
> +	struct cred *init_cred;
> +
> +	init_cred = task->task_ve->init_cred;
> +	return init_cred ? init_cred->user_ns : &init_user_ns;
> +}
> +
>  void proc_id_connector(struct task_struct *task, int which_id)
>  {
>  	struct cn_msg *msg;
> @@ -167,6 +175,7 @@ void proc_id_connector(struct task_struct *task, int which_id)
>  	struct timespec ts;
>  	const struct cred *cred;
>  	struct net *net = task_net(task);
> +	struct user_namespace *user_ns = task_user(task);
>  
>  	if (get_listeners(net) < 1)
>  		return;
> @@ -180,11 +189,11 @@ void proc_id_connector(struct task_struct *task, int which_id)
>  	rcu_read_lock();
>  	cred = __task_cred(task);
>  	if (which_id == PROC_EVENT_UID) {
> -		ev->event_data.id.r.ruid = from_kuid_munged(&init_user_ns, cred->uid);
> -		ev->event_data.id.e.euid = from_kuid_munged(&init_user_ns, cred->euid);
> +		ev->event_data.id.r.ruid = from_kuid_munged(user_ns, cred->uid);
> +		ev->event_data.id.e.euid = from_kuid_munged(user_ns, cred->euid);

user_ns has to be ns of the listener, not the task itself. And as mentioned before you'll need to craft
similar messages for all listeners.

>  	} else if (which_id == PROC_EVENT_GID) {
> -		ev->event_data.id.r.rgid = from_kgid_munged(&init_user_ns, cred->gid);
> -		ev->event_data.id.e.egid = from_kgid_munged(&init_user_ns, cred->egid);
> +		ev->event_data.id.r.rgid = from_kgid_munged(user_ns, cred->gid);
> +		ev->event_data.id.e.egid = from_kgid_munged(user_ns, cred->egid);
>  	} else {
>  		rcu_read_unlock();
>  		return;
>