Received: by 10.192.165.148 with SMTP id m20csp2609812imm;
        Sun, 29 Apr 2018 03:00:44 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqIEcy3C8wq5lYpkLNiS8ik32wRnZRncjc6n4Hj9+spl+II4VEmfZmzHXIMUlqL2tFewVLS
X-Received: by 2002:a65:5247:: with SMTP id q7-v6mr7096295pgp.27.1524996044808;
        Sun, 29 Apr 2018 03:00:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524996044; cv=none;
        d=google.com; s=arc-20160816;
        b=mlcucj22inFWw93vYJC/6xhLaVO29lR1Hd5vdeAd4oEvj7vT4E/M8d+s6FZLi1WWQ8
         tqTgtnF56IuE2joyNgSJsDocinNw5ayl92JtsTbhH+HTWwbEWVYEF+tHGVfz9Co4jnUc
         /B2rlB/peRu+HGqJ8wcXgxxFMYNZRLshhipNvRiru9H4FE/Zqpd7xG8RptuHXzuBz/1q
         wT8hwYWC0NjSrC0+izsCOIcSHuZ2WkV4OpTEVVfML8r//SnIIbEaORUfibRNebRu2Dzr
         F4Qmw33UscLwMGZfyGZCf1TJWq7Zb4foSQCFv0dt2jMTeTF1Z2n2xx8GBf2AEL8y1jeB
         bXLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:date:from:arc-authentication-results;
        bh=LAWdnAEO/ZpMP4WUEnfdgeucHqG69OikG+InKFYKchg=;
        b=GYVHIZzkPAvfOLARRw6/tTGRMwEoPdedwKhp3a2HXDS4zHWnRNjccSY95Its9mV+wX
         MJlO0ejBWlenQ1IeUEd/2TdGoxm8swT40SGYGc+Z8jIQDU0SYuLqfa3Tl4/LWrqiuk9Q
         m0pCViP5aySgrewZC6IjTm252LRvc5JbGLO8VCrct9ZdHA0Aj9Uc8bGIPY3gB5LX3v6+
         yGVm5KT2jJKU82InhIdnmV4d5KbumdO+ieq/o6Nsedw+GD/VLzGiqQeBPipnKNO6zvAR
         iwXbVczTQNwdGvjzvykU2+h6iNjSaUbpwfoWZnealRlYFvcHGfOHC9GVN42ANOBuwoX6
         9G5g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t75-v6si4531577pgc.566.2018.04.29.03.00.18;
        Sun, 29 Apr 2018 03:00:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753130AbeD2KAD (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Sun, 29 Apr 2018 06:00:03 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:51687 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752753AbeD2KAB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 29 Apr 2018 06:00:01 -0400
Received: from mail-wr0-f200.google.com ([209.85.128.200])
        by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
        (Exim 4.76)
        (envelope-from <christian.brauner@canonical.com>)
        id 1fCj7g-0007ZP-Hd
        for linux-kernel@vger.kernel.org; Sun, 29 Apr 2018 10:00:00 +0000
Received: by mail-wr0-f200.google.com with SMTP id w14-v6so4287437wrk.22
        for <linux-kernel@vger.kernel.org>; Sun, 29 Apr 2018 03:00:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:date:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=LAWdnAEO/ZpMP4WUEnfdgeucHqG69OikG+InKFYKchg=;
        b=P7y3DFYPb4XIfMLWfplEb/vzxP8LW8z6Ml55qNDmutPVddNhaFTeV0cqRoShiImrUB
         1OLdpELSK0ipjdIyk4LSfh25Qu3a5N+lc24TzLiSlw1FSmI6emd831OrjrpLmqxbQFr9
         raWky4bXQJhVcpcs9b/FjnFpMOTf/mhko7wHLMNYsxSFvjr+QSJufUicCJ3F2lOwkGOK
         xwTtFm5GugqdrKlD/aUB0H+2NxKRqiIIor5dfP+p/oJX+y25CbW3Z+IJfIN4q9Mh10E9
         gEpnHnJ3Q+Tk0iyRIQtRHoatvjCwLaFPR4TDgWZiNl/C7MnWJF6xer9tFPDp6eKNAyOa
         jzvg==
X-Gm-Message-State: ALQs6tCUPWp2bI10/dWsyCl5qj9tkTTsHPrn5tUPtbt+4n1CQovRjUrc
        vL4P3NNc0WWsLIjJ2O+OFPUqvXVdJdkUVrJOT2yCN3UL/ZQu4i96JTxpaV9eG2zEAHmgmOTioHJ
        AEIGu+r2OXBsD9fPfaaAf1jxyuXOIxJBkwotKN2kOpw==
X-Received: by 2002:adf:83c6:: with SMTP id 64-v6mr6442385wre.270.1524996000139;
        Sun, 29 Apr 2018 03:00:00 -0700 (PDT)
X-Received: by 2002:adf:83c6:: with SMTP id 64-v6mr6442363wre.270.1524995999765;
        Sun, 29 Apr 2018 02:59:59 -0700 (PDT)
Received: from gmail.com ([2a02:8070:8895:9700:b0c9:237:9998:dabc])
        by smtp.gmail.com with ESMTPSA id b18-v6sm9611795wrb.55.2018.04.29.02.59.58
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 29 Apr 2018 02:59:59 -0700 (PDT)
From:   Christian Brauner <christian.brauner@canonical.com>
X-Google-Original-From: Christian Brauner <christian.brauner@ubuntu.com>
Date:   Sun, 29 Apr 2018 11:59:58 +0200
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     davem@davemloft.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, avagin@virtuozzo.com,
        ktkhai@virtuozzo.com, serge@hallyn.com, gregkh@linuxfoundation.org
Subject: Re: [PATCH net-next 2/2 v4] netns: restrict uevents
Message-ID: <20180429095957.GA27296@gmail.com>
References: <20180428192025.2075-1-christian.brauner@ubuntu.com>
 <20180428192025.2075-3-christian.brauner@ubuntu.com>
 <87in8ad4ip.fsf@xmission.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <87in8ad4ip.fsf@xmission.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Apr 28, 2018 at 11:23:58PM -0500, Eric W. Biederman wrote:
> 
> > +	/* fix credentials */
> > +	if (owning_user_ns != &init_user_ns) {
> > +		struct netlink_skb_parms *parms = &NETLINK_CB(skb);
> > +		kuid_t root_uid;
> > +		kgid_t root_gid;
> > +
> > +		/* fix uid */
> > +		root_uid = make_kuid(owning_user_ns, 0);
> > +		if (!uid_valid(root_uid))
> > +			root_uid = GLOBAL_ROOT_UID;
> > +		parms->creds.uid = root_uid;
> > +
> > +		/* fix gid */
> > +		root_gid = make_kgid(owning_user_ns, 0);
> > +		if (!gid_valid(root_gid))
> > +			root_gid = GLOBAL_ROOT_GID;
> > +		parms->creds.gid = root_gid;
> 
> One last nit:

Will add non-functional change and make it a v5 in a few.

Thanks!
Christian

> 
> 	You can only make the assignment if the uid is valid.
>         Leaving it GLBOAL_ROOT_UID if the composed uid is invalid.
>         AKA
> 
> 		/* fix uid */
> 		root_uid = make_kuid(owning_user_ns, 0);
> 		if (uid_valid(root_uid))
>                 	parms->creds.uid = root_uid;
> 
>                 /* fix gid */
> 		root_gid = make_kgid(owning_user_ns, 0);
>                 if (gid_valid(root_gid))
>                 	params->creds.gid = root_gid;
> 
> 
> One line shorter and I think a little clearer.  I suspect
> it even results in better code.
> 
> Eric