Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752014AbdHHAE0 (ORCPT ); Mon, 7 Aug 2017 20:04:26 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:17675 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751881AbdHHAEY (ORCPT ); Mon, 7 Aug 2017 20:04:24 -0400 From: Prakash Sangappa To: linux-kernel@vger.kernel.org, netdev@vger.kernel.org Cc: davem@davemloft.net, ebiederm@xmission.com, prakash.sangappa@oracle.com Subject: [PATCH] Allow passing tid or pid in SCM_CREDENTIALS without CAP_SYS_ADMIN Date: Mon, 7 Aug 2017 17:07:10 -0700 Message-Id: <1502150830-3964-1-git-send-email-prakash.sangappa@oracle.com> X-Mailer: git-send-email 2.7.4 X-Source-IP: aserv0021.oracle.com [141.146.126.233] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1259 Lines: 32 Currently passing tid(gettid(2)) of a thread in struct ucred in SCM_CREDENTIALS message requires CAP_SYS_ADMIN capability otherwise it fails with EPERM error. Some applications deal with thread id of a thread(tid) and so it would help to allow tid in SCM_CREDENTIALS message. Basically, either tgid(pid of the process) or the tid of the thread should be allowed without the need for CAP_SYS_ADMIN capability. SCM_CREDENTIALS will be used to determine the global id of a process or a thread running inside a pid namespace. This patch adds necessary check to accept tid in SCM_CREDENTIALS struct ucred. Signed-off-by: Prakash Sangappa --- net/core/scm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/scm.c b/net/core/scm.c index b1ff8a4..9274197 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -55,6 +55,7 @@ static __inline__ int scm_check_creds(struct ucred *creds) return -EINVAL; if ((creds->pid == task_tgid_vnr(current) || + creds->pid == task_pid_vnr(current) || ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) && ((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) || uid_eq(uid, cred->suid)) || ns_capable(cred->user_ns, CAP_SETUID)) && -- 2.7.4