From patchwork Fri Nov 16 13:02:58 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Eric W. Biederman" X-Patchwork-Id: 199572 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id B56172C0082 for ; Sat, 17 Nov 2012 00:03:46 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751693Ab2KPNDo (ORCPT ); Fri, 16 Nov 2012 08:03:44 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:59365 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751657Ab2KPNDn (ORCPT ); Fri, 16 Nov 2012 08:03:43 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1TZLaA-0004qL-SQ; Fri, 16 Nov 2012 06:03:42 -0700 Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.int.ebiederm.org) by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1TZLa8-0007nH-Jz; Fri, 16 Nov 2012 06:03:42 -0700 From: "Eric W. Biederman" To: David Miller Cc: , Serge Hallyn , Linux Containers , "Eric W. Biederman" Date: Fri, 16 Nov 2012 05:02:58 -0800 Message-Id: <1353070992-5552-3-git-send-email-ebiederm@xmission.com> X-Mailer: git-send-email 1.7.5.4 In-Reply-To: <1353070992-5552-1-git-send-email-ebiederm@xmission.com> References: <87d2zd8zwn.fsf@xmission.com> <1353070992-5552-1-git-send-email-ebiederm@xmission.com> X-XM-AID: U2FsdGVkX1/avKk1lwc8g1kmMM7iDmetWoxSD9Ky80g= X-SA-Exim-Connect-IP: 98.207.153.68 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sa06.xmission.com X-Spam-Level: X-Spam-Status: No, score=-1.4 required=8.0 tests=ALL_TRUSTED,BAYES_05, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,XMSubLong autolearn=disabled version=3.3.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.1 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: T_TM2_M_HEADER_IN_MSG * -0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5% * [score: 0.0264] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;David Miller X-Spam-Relay-Country: Subject: [PATCH net-next 03/17] sysctl: Pass useful parameters to sysctl permissions X-SA-Exim-Version: 4.2.1 (built Sun, 08 Jan 2012 03:05:19 +0000) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: "Eric W. Biederman" - Current is implicitly avaiable so passing current->nsproxy isn't useful. - The ctl_table_header is needed to find how the sysctl table is connected to the rest of sysctl. - ctl_table_root is avaiable in the ctl_table_header so no need to it. With these changes it becomes possible to write a version of net_sysctl_permission that takes into account the network namespace of the sysctl table, an important feature in extending the user namespace. Acked-by: Serge Hallyn Signed-off-by: "Eric W. Biederman" --- fs/proc/proc_sysctl.c | 9 +++++---- include/linux/sysctl.h | 3 +-- net/sysctl_net.c | 3 +-- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index a781bdf..701580d 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -378,12 +378,13 @@ static int test_perm(int mode, int op) return -EACCES; } -static int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op) +static int sysctl_perm(struct ctl_table_header *head, struct ctl_table *table, int op) { + struct ctl_table_root *root = head->root; int mode; if (root->permissions) - mode = root->permissions(root, current->nsproxy, table); + mode = root->permissions(head, table); else mode = table->mode; @@ -491,7 +492,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, * and won't be until we finish. */ error = -EPERM; - if (sysctl_perm(head->root, table, write ? MAY_WRITE : MAY_READ)) + if (sysctl_perm(head, table, write ? MAY_WRITE : MAY_READ)) goto out; /* if that can happen at all, it should be -EINVAL, not -EISDIR */ @@ -717,7 +718,7 @@ static int proc_sys_permission(struct inode *inode, int mask) if (!table) /* global root - r-xr-xr-x */ error = mask & MAY_WRITE ? -EACCES : 0; else /* Use the permissions on the sysctl table entry */ - error = sysctl_perm(head->root, table, mask & ~MAY_NOT_BLOCK); + error = sysctl_perm(head, table, mask & ~MAY_NOT_BLOCK); sysctl_head_finish(head); return error; diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h index cd844a6..14a8ff2 100644 --- a/include/linux/sysctl.h +++ b/include/linux/sysctl.h @@ -158,8 +158,7 @@ struct ctl_table_root { struct ctl_table_set default_set; struct ctl_table_set *(*lookup)(struct ctl_table_root *root, struct nsproxy *namespaces); - int (*permissions)(struct ctl_table_root *root, - struct nsproxy *namespaces, struct ctl_table *table); + int (*permissions)(struct ctl_table_header *head, struct ctl_table *table); }; /* struct ctl_path describes where in the hierarchy a table is added */ diff --git a/net/sysctl_net.c b/net/sysctl_net.c index e3a6e37..e98f393 100644 --- a/net/sysctl_net.c +++ b/net/sysctl_net.c @@ -38,8 +38,7 @@ static int is_seen(struct ctl_table_set *set) } /* Return standard mode bits for table entry. */ -static int net_ctl_permissions(struct ctl_table_root *root, - struct nsproxy *nsproxy, +static int net_ctl_permissions(struct ctl_table_header *head, struct ctl_table *table) { /* Allow network administrator to have same access as root. */