summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorSerge E. Hallyn <serue@us.ibm.com>2009-02-26 18:27:47 -0600
committerJames Morris <jmorris@namei.org>2009-02-27 12:35:09 +1100
commit8ff3bc3138a400294ee9e126ac75fc9a9fae4e0b (patch)
treef1e2f21f17268cb9a88446da2f1ced9dbccd5138 /security
parent1d1e97562e5e2ac60fb7b25437ba619f95f67fab (diff)
downloadlwn-8ff3bc3138a400294ee9e126ac75fc9a9fae4e0b.tar.gz
lwn-8ff3bc3138a400294ee9e126ac75fc9a9fae4e0b.zip
keys: consider user namespace in key_permission
If a key is owned by another user namespace, then treat the key as though it is owned by both another uid and gid. Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/keys/permission.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/security/keys/permission.c b/security/keys/permission.c
index 5d9fc7b93f2e..0ed802c9e698 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -35,6 +35,9 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
key = key_ref_to_ptr(key_ref);
+ if (key->user->user_ns != cred->user->user_ns)
+ goto use_other_perms;
+
/* use the second 8-bits of permissions for keys the caller owns */
if (key->uid == cred->fsuid) {
kperm = key->perm >> 16;
@@ -56,6 +59,8 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
}
}
+use_other_perms:
+
/* otherwise use the least-significant 8-bits */
kperm = key->perm;