From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Adrian Reber <areber@redhat.com>,
Christian Brauner <brauner@kernel.org>,
Andrei Vagin <avagin@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
jirislaby@kernel.org, linux-serial@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 04/13] tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE
Date: Sun, 28 Jan 2024 11:15:50 -0500 [thread overview]
Message-ID: <20240128161606.205221-4-sashal@kernel.org> (raw)
In-Reply-To: <20240128161606.205221-1-sashal@kernel.org>
From: Adrian Reber <areber@redhat.com>
[ Upstream commit e0f25b8992345aa5f113da2815f5add98738c611 ]
The capability CAP_CHECKPOINT_RESTORE was introduced to allow non-root
users to checkpoint and restore processes as non-root with CRIU.
This change extends CAP_CHECKPOINT_RESTORE to enable the CRIU option
'--shell-job' as non-root. CRIU's man-page describes the '--shell-job'
option like this:
Allow one to dump shell jobs. This implies the restored task will
inherit session and process group ID from the criu itself. This option
also allows to migrate a single external tty connection, to migrate
applications like top.
TIOCSLCKTRMIOS can only be done if the process has CAP_SYS_ADMIN and
this change extends it to CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE.
With this change it is possible to checkpoint and restore processes
which have a tty connection as non-root if CAP_CHECKPOINT_RESTORE is
set.
Acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Adrian Reber <areber@redhat.com>
Acked-by: Andrei Vagin <avagin@gmail.com>
Link: https://lore.kernel.org/r/20231208143656.1019-1-areber@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/tty_ioctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c
index 68b07250dcb6..134f07c2431e 100644
--- a/drivers/tty/tty_ioctl.c
+++ b/drivers/tty/tty_ioctl.c
@@ -763,7 +763,7 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file,
ret = -EFAULT;
return ret;
case TIOCSLCKTRMIOS:
- if (!capable(CAP_SYS_ADMIN))
+ if (!checkpoint_restore_ns_capable(&init_user_ns))
return -EPERM;
copy_termios_locked(real_tty, &kterm);
if (user_termios_to_kernel_termios(&kterm,
@@ -780,7 +780,7 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file,
ret = -EFAULT;
return ret;
case TIOCSLCKTRMIOS:
- if (!capable(CAP_SYS_ADMIN))
+ if (!checkpoint_restore_ns_capable(&init_user_ns))
return -EPERM;
copy_termios_locked(real_tty, &kterm);
if (user_termios_to_kernel_termios_1(&kterm,
--
2.43.0
next prev parent reply other threads:[~2024-01-28 16:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-28 16:15 [PATCH AUTOSEL 5.10 01/13] PCI: Only override AMD USB controller if required Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 02/13] PCI: switchtec: Fix stdev_release() crash after surprise hot remove Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 03/13] usb: hub: Replace hardcoded quirk value with BIT() macro Sasha Levin
2024-01-28 16:15 ` Sasha Levin [this message]
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 05/13] fs/kernfs/dir: obey S_ISGID Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 06/13] PCI/AER: Decode Requester ID when no error info found Sasha Levin
2024-01-28 16:15 ` Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 07/13] misc: lis3lv02d_i2c: Add missing setting of the reg_ctrl callback Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 08/13] libsubcmd: Fix memory leak in uniq() Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 09/13] virtio_net: Fix "‘%d’ directive writing between 1 and 11 bytes into a region of size 10" warnings Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 10/13] blk-mq: fix IO hang from sbitmap wakeup race Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 11/13] ceph: fix deadlock or deadcode of misusing dget() Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 12/13] drm/amd/powerplay: Fix kzalloc parameter 'ATOM_Tonga_PPM_Table' in 'get_platform_power_management_table()' Sasha Levin
2024-01-28 16:15 ` Sasha Levin
2024-01-28 16:15 ` [PATCH AUTOSEL 5.10 13/13] drm/amdgpu: Release 'adev->pm.fw' before return in 'amdgpu_device_need_post()' Sasha Levin
2024-01-28 16:15 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240128161606.205221-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=areber@redhat.com \
--cc=avagin@gmail.com \
--cc=brauner@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.