git.baikalelectronics.ru Git - kernel.git/commit

author	Serge E. Hallyn <serge@hallyn.com>
	Wed, 23 Mar 2011 23:43:20 +0000 (16:43 -0700)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Thu, 24 Mar 2011 02:47:05 +0000 (19:47 -0700)
commit	19ed6d76e591f3b22a8377226bcbfb26bb1ef482
tree	d9f1ced0d47070fcdf8b399021f33770c150b1ec	tree \| snapshot
parent	97bdad003471eeacb3abd2cebc51e65bbacd8b14	commit \| diff

userns: allow ptrace from non-init user namespaces

ptrace is allowed to tasks in the same user namespace according to the
usual rules (i.e.  the same rules as for two tasks in the init user
namespace).  ptrace is also allowed to a user namespace to which the
current task the has CAP_SYS_PTRACE capability.

Changelog:
Dec 31: Address feedback by Eric:
. Correct ptrace uid check
. Rename may_ptrace_ns to ptrace_capable
. Also fix the cap_ptrace checks.
Jan  1: Use const cred struct
Jan 11: use task_ns_capable() in place of ptrace_capable().
Feb 23: same_or_ancestore_user_ns() was not an appropriate
check to constrain cap_issubset.  Rather, cap_issubset()
only is meaningful when both capsets are in the same
user_ns.

Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: David Howells <dhowells@redhat.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

include/linux/capability.h		diff \| blob \| history
kernel/ptrace.c		diff \| blob \| history
security/commoncap.c		diff \| blob \| history