| Message ID | 1375861035-24320-6-git-send-email-rui.xiang@huawei.com |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | David Miller |
| Headers | show |
On Wed, 2013-08-07 at 15:37 +0800, Rui Xiang wrote: > Use ns_capable to check capability in user ns, > instead of capable function. The user ns is the > owner of current syslog ns. > > Signed-off-by: Rui Xiang <rui.xiang@huawei.com> > --- > kernel/printk.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/kernel/printk.c b/kernel/printk.c > index e508ab2..ca951e7 100644 > --- a/kernel/printk.c > +++ b/kernel/printk.c > @@ -374,13 +374,13 @@ static int check_syslog_permissions(int type, bool from_file, > return 0; > > if (syslog_action_restricted(type, ns)) { > - if (capable(CAP_SYSLOG)) > + if (ns_capable(ns->owner, CAP_SYSLOG)) > return 0; > /* > * For historical reasons, accept CAP_SYS_ADMIN too, with > * a warning. > */ > - if (capable(CAP_SYS_ADMIN)) { > + if (ns_capable(ns->owner, CAP_SYS_ADMIN)) { > pr_warn_once("%s (%d): Attempt to access syslog with " > "CAP_SYS_ADMIN but no CAP_SYSLOG " > "(deprecated).\n", Since CAP_SYS_ADMIN is only accepted for backward compatibility, is it really necessary to accept it as a per-namespace capability too? Ben.
diff --git a/kernel/printk.c b/kernel/printk.c index e508ab2..ca951e7 100644 --- a/kernel/printk.c +++ b/kernel/printk.c @@ -374,13 +374,13 @@ static int check_syslog_permissions(int type, bool from_file, return 0; if (syslog_action_restricted(type, ns)) { - if (capable(CAP_SYSLOG)) + if (ns_capable(ns->owner, CAP_SYSLOG)) return 0; /* * For historical reasons, accept CAP_SYS_ADMIN too, with * a warning. */ - if (capable(CAP_SYS_ADMIN)) { + if (ns_capable(ns->owner, CAP_SYS_ADMIN)) { pr_warn_once("%s (%d): Attempt to access syslog with " "CAP_SYS_ADMIN but no CAP_SYSLOG " "(deprecated).\n",
Use ns_capable to check capability in user ns, instead of capable function. The user ns is the owner of current syslog ns. Signed-off-by: Rui Xiang <rui.xiang@huawei.com> --- kernel/printk.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)