From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.14 09/68] net: Add variants of capable for use on on sockets
Date: Tue, 24 Jun 2014 11:50:28 -0400 [thread overview]
Message-ID: <20140624154724.341658724@linuxfoundation.org> (raw)
In-Reply-To: <20140624154723.907894814@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
[ Upstream commit a3b299da869d6e78cf42ae0b1b41797bcb8c5e4b ]
sk_net_capable - The common case, operations that are safe in a network namespace.
sk_capable - Operations that are not known to be safe in a network namespace
sk_ns_capable - The general case for special cases.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sock.h | 5 +++++
net/core/sock.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 54 insertions(+)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2278,6 +2278,11 @@ int sock_get_timestampns(struct sock *,
int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len, int level,
int type);
+bool sk_ns_capable(const struct sock *sk,
+ struct user_namespace *user_ns, int cap);
+bool sk_capable(const struct sock *sk, int cap);
+bool sk_net_capable(const struct sock *sk, int cap);
+
/*
* Enable debug/info messages
*/
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -145,6 +145,55 @@
static DEFINE_MUTEX(proto_list_mutex);
static LIST_HEAD(proto_list);
+/**
+ * sk_ns_capable - General socket capability test
+ * @sk: Socket to use a capability on or through
+ * @user_ns: The user namespace of the capability to use
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket had when the socket was
+ * created and the current process has the capability @cap in the user
+ * namespace @user_ns.
+ */
+bool sk_ns_capable(const struct sock *sk,
+ struct user_namespace *user_ns, int cap)
+{
+ return file_ns_capable(sk->sk_socket->file, user_ns, cap) &&
+ ns_capable(user_ns, cap);
+}
+EXPORT_SYMBOL(sk_ns_capable);
+
+/**
+ * sk_capable - Socket global capability test
+ * @sk: Socket to use a capability on or through
+ * @cap: The global capbility to use
+ *
+ * Test to see if the opener of the socket had when the socket was
+ * created and the current process has the capability @cap in all user
+ * namespaces.
+ */
+bool sk_capable(const struct sock *sk, int cap)
+{
+ return sk_ns_capable(sk, &init_user_ns, cap);
+}
+EXPORT_SYMBOL(sk_capable);
+
+/**
+ * sk_net_capable - Network namespace socket capability test
+ * @sk: Socket to use a capability on or through
+ * @cap: The capability to use
+ *
+ * Test to see if the opener of the socket had when the socke was created
+ * and the current process has the capability @cap over the network namespace
+ * the socket is a member of.
+ */
+bool sk_net_capable(const struct sock *sk, int cap)
+{
+ return sk_ns_capable(sk, sock_net(sk)->user_ns, cap);
+}
+EXPORT_SYMBOL(sk_net_capable);
+
+
#ifdef CONFIG_MEMCG_KMEM
int mem_cgroup_sockets_init(struct mem_cgroup *memcg, struct cgroup_subsys *ss)
{
next prev parent reply other threads:[~2014-06-24 16:32 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 15:50 [PATCH 3.14 00/68] 3.14.9-stable review Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 01/68] rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 02/68] target: Fix NULL pointer dereference for XCOPY in target_put_sess_cmd Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 03/68] iscsi-target: Reject mutual authentication with reflected CHAP_C Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 04/68] ima: audit log files opened with O_DIRECT flag Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 05/68] ima: introduce ima_kernel_read() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 06/68] evm: prohibit userspace writing security.evm HMAC value Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 07/68] netlink: Rename netlink_capable netlink_allowed Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 08/68] net: Move the permission check in sock_diag_put_filterinfo to packet_diag_dump Greg Kroah-Hartman
2014-06-24 15:50 ` Greg Kroah-Hartman [this message]
2014-06-24 15:50 ` [PATCH 3.14 10/68] net: Add variants of capable for use on netlink messages Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 11/68] net: Use netlink_ns_capable to verify the permisions of " Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 12/68] netlink: Only check file credentials for implicit destinations Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 13/68] qlcnic: info leak in qlcnic_dcb_peer_app_info() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 14/68] ipv6: Fix regression caused by efe4208 in udp_v6_mcast_next() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 15/68] netlink: rate-limit leftover bytes warning and print process name Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 16/68] bridge: Prevent insertion of FDB entry with disallowed vlan Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 17/68] net: tunnels - enable module autoloading Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 18/68] net: fix inet_getid() and ipv6_select_ident() bugs Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 19/68] team: fix mtu setting Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 20/68] tcp: fix cwnd undo on DSACK in F-RTO Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 21/68] sh_eth: use RNC mode for packet reception Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 22/68] sh_eth: fix SH7619/771x support Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 23/68] net: filter: fix typo in sparc BPF JIT Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 24/68] net: filter: fix sparc32 typo Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 26/68] net: force a list_del() in unregister_netdevice_many() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 27/68] ipip, sit: fix ipv4_{update_pmtu,redirect} calls Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 28/68] sfc: PIO:Restrict to 64bit arch and use 64-bit writes Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 29/68] ipv4: fix a race in ip4_datagram_release_cb() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 30/68] sctp: Fix sk_ack_backlog wrap-around problem Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 31/68] rtnetlink: fix userspace API breakage for iproute2 < v3.9.0 Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 32/68] vxlan: use dev->needed_headroom instead of dev->hard_header_len Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 33/68] udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 34/68] net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one() Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 35/68] net/mlx4_core: Keep only one driver entry release mlx4_priv Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 36/68] KVM: lapic: sync highest ISR to hardware apic on EOI Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 37/68] ARM: at91: fix at91_sysirq_mask_rtc for sam9x5 SoCs Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 38/68] MIPS: KVM: Allocate at least 16KB for exception handlers Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 39/68] USB: cdc-acm: fix write and suspend race Greg Kroah-Hartman
2014-06-24 15:50 ` [PATCH 3.14 40/68] USB: cdc-acm: fix write and resume race Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 41/68] USB: cdc-acm: fix broken runtime suspend Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 42/68] USB: cdc-acm: fix runtime PM for control messages Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 43/68] USB: cdc-acm: fix shutdown and suspend race Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 44/68] USB: cdc-acm: fix potential urb leak and PM imbalance in write Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 45/68] USB: cdc-acm: fix I/O after failed open Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 46/68] USB: cdc-acm: fix runtime PM imbalance at shutdown Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 47/68] Drivers: hv: balloon: Ensure pressure reports are posted regularly Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 49/68] ASoC: dapm: Make sure to always update the DAPM graph in _put_volsw() Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 50/68] ASoC: max98090: Fix reset at resume time Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 51/68] ASoC: tlv320aci3x: Fix custom snd_soc_dapm_put_volsw_aic3x() function Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 52/68] iio:adc:max1363 incorrect resolutions for max11604, max11605, max11610 and max11611 Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 53/68] staging: iio: tsl2x7x_core: fix proximity treshold Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 54/68] iio: mxs-lradc: fix divider Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 55/68] iio: adc: at91: signedness bug in at91_adc_get_trigger_value_by_name() Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 56/68] iio: Fix endianness issue in ak8975_read_axis() Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 58/68] lzo: properly check for overruns Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 59/68] lz4: ensure length does not wrap Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 60/68] ALSA: compress: Cancel the optimization of compiler and fix the size of struct for all platform Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 61/68] ALSA: hda/realtek - Add support of ALC891 codec Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 62/68] ALSA: hda/realtek - Add more entry for enable HP mute led Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 64/68] ALSA: control: Protect user controls against concurrent access Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 65/68] ALSA: control: Fix replacing user controls Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 66/68] ALSA: control: Dont access controls outside of protected regions Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 67/68] ALSA: control: Handle numid overflow Greg Kroah-Hartman
2014-06-24 15:51 ` [PATCH 3.14 68/68] ALSA: control: Make sure that id->index does not overflow Greg Kroah-Hartman
2014-06-24 19:49 ` [PATCH 3.14 00/68] 3.14.9-stable review Shuah Khan
2014-06-24 23:29 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140624154724.341658724@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.