Clarify the rootid_owns_currentns · tjh.dev/kernel@9891d2f

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Clarify the rootid_owns_currentns

Split most of the rootid_owns_currentns() functionality
into a more generic rootid_owns_ns() function which
will be easier to write tests for.

Rename the functions and variables to make clear that
the ids being tested could be any uid.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
CC: Ryan Foster <foster.ryan.r@gmail.com>
CC: Christian Brauner <brauner@kernel.org>

---
v2: change the function parameter documentation to mollify the bot.

authored by

Serge Hallyn and committed by

Serge Hallyn 4 months ago 9891d2f7 211ddde0

+22 -12

1 changed file

expand all

security

commoncap.c

+22 -12

security/commoncap.c

··· 358 358 return error; 359 359 } 360 360 361 - static bool rootid_owns_currentns(vfsuid_t rootvfsuid) 361 + /** 362 + * kuid_root_in_ns - check whether the given kuid is root in the given ns 363 + * @kuid: the kuid to be tested 364 + * @ns: the user namespace to test against 365 + * 366 + * Returns true if @kuid represents the root user in @ns, false otherwise. 367 + */ 368 + static bool kuid_root_in_ns(kuid_t kuid, struct user_namespace *ns) 362 369 { 363 - struct user_namespace *ns; 364 - kuid_t kroot; 365 - 366 - if (!vfsuid_valid(rootvfsuid)) 367 - return false; 368 - 369 - kroot = vfsuid_into_kuid(rootvfsuid); 370 - for (ns = current_user_ns();; ns = ns->parent) { 371 - if (from_kuid(ns, kroot) == 0) 370 + for (;; ns = ns->parent) { 371 + if (from_kuid(ns, kuid) == 0) 372 372 return true; 373 373 if (ns == &init_user_ns) 374 374 break; 375 375 } 376 376 377 377 return false; 378 + } 379 + 380 + static bool vfsuid_root_in_currentns(vfsuid_t vfsuid) 381 + { 382 + kuid_t kuid; 383 + 384 + if (!vfsuid_valid(vfsuid)) 385 + return false; 386 + kuid = vfsuid_into_kuid(vfsuid); 387 + return kuid_root_in_ns(kuid, current_user_ns()); 378 388 } 379 389 380 390 static __u32 sansflags(__u32 m) ··· 491 481 goto out_free; 492 482 } 493 483 494 - if (!rootid_owns_currentns(vfsroot)) { 484 + if (!vfsuid_root_in_currentns(vfsroot)) { 495 485 size = -EOVERFLOW; 496 486 goto out_free; 497 487 } ··· 732 722 /* Limit the caps to the mounter of the filesystem 733 723 * or the more limited uid specified in the xattr. 734 724 */ 735 - if (!rootid_owns_currentns(rootvfsuid)) 725 + if (!vfsuid_root_in_currentns(rootvfsuid)) 736 726 return -ENODATA; 737 727 738 728 cpu_caps->permitted.val = le32_to_cpu(caps->data[0].permitted);