tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

sysctl: Pass useful parameters to sysctl permissions

- Current is implicitly avaiable so passing current->nsproxy isn't useful.
- The ctl_table_header is needed to find how the sysctl table is connected
to the rest of sysctl.
- ctl_table_root is avaiable in the ctl_table_header so no need to it.

With these changes it becomes possible to write a version of
net_sysctl_permission that takes into account the network namespace of
the sysctl table, an important feature in extending the user namespace.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Eric W. Biederman and committed by
David S. Miller 73f7ef43 d328b836

+7 -8
+5 -4
fs/proc/proc_sysctl.c
··· 378 378 return -EACCES; 379 379 } 380 380 381 - static int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op) 381 + static int sysctl_perm(struct ctl_table_header *head, struct ctl_table *table, int op) 382 382 { 383 + struct ctl_table_root *root = head->root; 383 384 int mode; 384 385 385 386 if (root->permissions) 386 - mode = root->permissions(root, current->nsproxy, table); 387 + mode = root->permissions(head, table); 387 388 else 388 389 mode = table->mode; 389 390 ··· 492 491 * and won't be until we finish. 493 492 */ 494 493 error = -EPERM; 495 - if (sysctl_perm(head->root, table, write ? MAY_WRITE : MAY_READ)) 494 + if (sysctl_perm(head, table, write ? MAY_WRITE : MAY_READ)) 496 495 goto out; 497 496 498 497 /* if that can happen at all, it should be -EINVAL, not -EISDIR */ ··· 718 717 if (!table) /* global root - r-xr-xr-x */ 719 718 error = mask & MAY_WRITE ? -EACCES : 0; 720 719 else /* Use the permissions on the sysctl table entry */ 721 - error = sysctl_perm(head->root, table, mask & ~MAY_NOT_BLOCK); 720 + error = sysctl_perm(head, table, mask & ~MAY_NOT_BLOCK); 722 721 723 722 sysctl_head_finish(head); 724 723 return error;
+1 -2
include/linux/sysctl.h
··· 158 158 struct ctl_table_set default_set; 159 159 struct ctl_table_set *(*lookup)(struct ctl_table_root *root, 160 160 struct nsproxy *namespaces); 161 - int (*permissions)(struct ctl_table_root *root, 162 - struct nsproxy *namespaces, struct ctl_table *table); 161 + int (*permissions)(struct ctl_table_header *head, struct ctl_table *table); 163 162 }; 164 163 165 164 /* struct ctl_path describes where in the hierarchy a table is added */
+1 -2
net/sysctl_net.c
··· 38 38 } 39 39 40 40 /* Return standard mode bits for table entry. */ 41 - static int net_ctl_permissions(struct ctl_table_root *root, 42 - struct nsproxy *nsproxy, 41 + static int net_ctl_permissions(struct ctl_table_header *head, 43 42 struct ctl_table *table) 44 43 { 45 44 /* Allow network administrator to have same access as root. */