| Message ID | 20211208083320.472503-7-leo.yan@linaro.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | pid: Introduce helper task_is_in_root_ns() | expand |
On Wed, Dec 08, 2021 at 04:33:19PM +0800, Leo Yan wrote: > Replace open code with task_is_in_init_pid_ns() for checking root PID > namespace. > > Signed-off-by: Leo Yan <leo.yan@linaro.org> > --- > kernel/audit.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 121d37e700a6..56ea91014180 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -1034,7 +1034,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) > case AUDIT_MAKE_EQUIV: > /* Only support auditd and auditctl in initial pid namespace > * for now. */ > - if (task_active_pid_ns(current) != &init_pid_ns) > + if (!task_is_in_init_pid_ns(current)) > return -EPERM; > > if (!netlink_capable(skb, CAP_AUDIT_CONTROL)) > -- > 2.25.1 > Acked-by: Balbir Singh <bsingharora@gmail.com>
On Wed, Dec 8, 2021 at 3:33 AM Leo Yan <leo.yan@linaro.org> wrote: > > Replace open code with task_is_in_init_pid_ns() for checking root PID > namespace. > > Signed-off-by: Leo Yan <leo.yan@linaro.org> > --- > kernel/audit.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) I'm not sure how necessary this is, but it looks correct to me. Acked-by: Paul Moore <paul@paul-moore.com> > diff --git a/kernel/audit.c b/kernel/audit.c > index 121d37e700a6..56ea91014180 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -1034,7 +1034,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) > case AUDIT_MAKE_EQUIV: > /* Only support auditd and auditctl in initial pid namespace > * for now. */ > - if (task_active_pid_ns(current) != &init_pid_ns) > + if (!task_is_in_init_pid_ns(current)) > return -EPERM; > > if (!netlink_capable(skb, CAP_AUDIT_CONTROL)) > -- > 2.25.1
On 2021-12-14 17:35, Paul Moore wrote: > On Wed, Dec 8, 2021 at 3:33 AM Leo Yan <leo.yan@linaro.org> wrote: > > > > Replace open code with task_is_in_init_pid_ns() for checking root PID > > namespace. > > > > Signed-off-by: Leo Yan <leo.yan@linaro.org> > > --- > > kernel/audit.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > I'm not sure how necessary this is, but it looks correct to me. I had the same thought. I looks correct to me. I could see the value if it permitted init_pid_ns to not be global. > Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 121d37e700a6..56ea91014180 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -1034,7 +1034,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) > > case AUDIT_MAKE_EQUIV: > > /* Only support auditd and auditctl in initial pid namespace > > * for now. */ > > - if (task_active_pid_ns(current) != &init_pid_ns) > > + if (!task_is_in_init_pid_ns(current)) > > return -EPERM; > > > > if (!netlink_capable(skb, CAP_AUDIT_CONTROL)) > > -- > > 2.25.1 > > paul moore - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
On Wed, Dec 15, 2021 at 02:09:12PM -0500, Richard Guy Briggs wrote: > On 2021-12-14 17:35, Paul Moore wrote: > > On Wed, Dec 8, 2021 at 3:33 AM Leo Yan <leo.yan@linaro.org> wrote: > > > > > > Replace open code with task_is_in_init_pid_ns() for checking root PID > > > namespace. > > > > > > Signed-off-by: Leo Yan <leo.yan@linaro.org> > > > --- > > > kernel/audit.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > I'm not sure how necessary this is, but it looks correct to me. > > I had the same thought. I looks correct to me. I could see the value > if it permitted init_pid_ns to not be global. Just for a background info, we need to check root PID namespace in some drivers [1], to avoid introducing more open codes, we decided to refactor with helper task_is_in_init_pid_ns(). [1] https://lore.kernel.org/lkml/20211213121323.1887180-1-leo.yan@linaro.org/ > > Acked-by: Paul Moore <paul@paul-moore.com> > > Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Thanks for review, Paul and Richard. Leo
diff --git a/kernel/audit.c b/kernel/audit.c index 121d37e700a6..56ea91014180 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1034,7 +1034,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) case AUDIT_MAKE_EQUIV: /* Only support auditd and auditctl in initial pid namespace * for now. */ - if (task_active_pid_ns(current) != &init_pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EPERM; if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
Replace open code with task_is_in_init_pid_ns() for checking root PID namespace. Signed-off-by: Leo Yan <leo.yan@linaro.org> --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)