From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: [PATCH 3/5] pid: use namespaced iteration on processes while setting capability Date: Thu, 18 Dec 2008 09:35:18 -0800 Message-ID: References: <1229618553-6348-1-git-send-email-gowrishankar.m@linux.vnet.ibm.com> <1229618553-6348-4-git-send-email-gowrishankar.m@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1229618553-6348-4-git-send-email-gowrishankar.m-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> (Gowrishankar M.'s message of "Thu, 18 Dec 2008 22:12:31 +0530") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Gowrishankar M Cc: Containers , Dave , Sukadev , Balbir List-Id: containers.vger.kernel.org Gowrishankar M writes: > From: Gowrishankar M > > In piece of dead code, cap_set_all() propogates through processes outside > PID namespace, as iteration is always in init PID namespace. > > Below patch adjusts macro controller to use do_each_thread_in_ns() so that > only processes in current namespace are scanned Yes. This case in capability.c needs to be fixed. Acked-by: "Eric W. Biederman" > Signed-off-by: Gowrishankar M > --- > kernel/capability.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/kernel/capability.c b/kernel/capability.c > index 33e51e7..e3e3765 100644 > --- a/kernel/capability.c > +++ b/kernel/capability.c > @@ -201,7 +201,7 @@ static inline int cap_set_all(kernel_cap_t *effective, > spin_lock(&task_capability_lock); > read_lock(&tasklist_lock); > > - do_each_thread(g, target) { > + do_each_thread_in_ns(g, target, current->nsproxy->pid_ns) { > if (target == current > || is_container_init(target->group_leader)) > continue; > -- > 1.5.5.1