Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp525123ybh;
        Wed, 15 Jul 2020 08:14:54 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzSJJ8S7NRnHMCrxO10kDAcX4BvZew4UMlVQL5rb4dcScsvqz1nMlEa5qFfeojZO5MNeFWP
X-Received: by 2002:aa7:c407:: with SMTP id j7mr115601edq.96.1594826094324;
        Wed, 15 Jul 2020 08:14:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1594826094; cv=none;
        d=google.com; s=arc-20160816;
        b=eHSBHjVdbiIRCmsLxbpd4Kag42V7QxLQX3xjpZYLd617P7SNra5jVmmoyCt2vGHOt4
         pKehcMzmKROqess2HXEiJ30Gvd0oQhmZDihmXEUV1axmd5MqiFd/ZaWdBGy5wzphGWzv
         lWES2/2c+w7Ml5tab2FqKDoRv+7kIxXJrnejcyIZMDJOeqnd4n1XSfII+XxKfr2WDn+C
         8++y++tDagaGz1Zy7Wl+72bA8s9SRhX6lgr/Qg4uUjCD3wxwwpor1cgW3sXgg3W61SpF
         3hcm8dxuvyZ4aepjuMaRIGydTteCPJjpdP4zuU8dj8TzJFmY4hp6VbYApq1WGUYV03T2
         so6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=eqyXa2wDcMfxhB+bLVXG6dgnT5EHLYdTwcj03PtL4G8=;
        b=EKF9/BLTMA5+RLJo7qAjscTsocSp6CWO/jWNBOuoMbMvIUrPUtlcGtCRxwgztdOhtA
         kbtF2NYtsWn9TEgR7KBKXg7Yynq3vICnhNcQh4nJWU5Y5UXnlU9al+F7S4yKUK4fBr0+
         kmkSCHqbCmSwqoOQUJCClWki8E7b7AgraIQR6gIQfl/oeuROD5+6VwfWAiDmWcg0WNW4
         UyInoFi9hC6vkBW+8IhvF2celLUEkOvTBfcFOsTmljoNuO3zrboUBk8b7bvkMXcOiMG2
         /wvNLoEju7Gc12OxnZbeb2bzBav2ApZO0oW8igbI1iIZCuU+uRvgPJWsezamkf7np22k
         hKHw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id e22si1450085ejb.66.2020.07.15.08.14.30;
        Wed, 15 Jul 2020 08:14:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728289AbgGOPIf (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Wed, 15 Jul 2020 11:08:35 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:50303 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728293AbgGOPIe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Jul 2020 11:08:34 -0400
Received: from ip5f5af08c.dynamic.kabel-deutschland.de ([95.90.240.140] helo=wittgenstein)
        by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.86_2)
        (envelope-from <christian.brauner@ubuntu.com>)
        id 1jvj12-0003tr-Gv; Wed, 15 Jul 2020 15:08:12 +0000
Date:   Wed, 15 Jul 2020 17:08:11 +0200
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     Adrian Reber <areber@redhat.com>
Cc:     Eric Biederman <ebiederm@xmission.com>,
        Pavel Emelyanov <ovzxemul@gmail.com>,
        Oleg Nesterov <oleg@redhat.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Andrei Vagin <avagin@gmail.com>,
        Nicolas Viennot <Nicolas.Viennot@twosigma.com>,
        =?utf-8?B?TWljaGHFgiBDxYJhcGnFhHNraQ==?= <mclapinski@google.com>,
        Kamil Yurtsever <kyurtsever@google.com>,
        Dirk Petersen <dipeit@gmail.com>,
        Christine Flood <chf@redhat.com>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Radostin Stoyanov <rstoyanov1@gmail.com>,
        Cyrill Gorcunov <gorcunov@openvz.org>,
        Serge Hallyn <serge@hallyn.com>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Sargun Dhillon <sargun@sargun.me>,
        Arnd Bergmann <arnd@arndb.de>,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, selinux@vger.kernel.org,
        Eric Paris <eparis@parisplace.org>,
        Jann Horn <jannh@google.com>, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v5 2/6] pid: use checkpoint_restore_ns_capable() for
 set_tid
Message-ID: <20200715150811.ly7fhogee7zykaoh@wittgenstein>
References: <20200715144954.1387760-1-areber@redhat.com>
 <20200715144954.1387760-3-areber@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20200715144954.1387760-3-areber@redhat.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jul 15, 2020 at 04:49:50PM +0200, Adrian Reber wrote:
> Use the newly introduced capability CAP_CHECKPOINT_RESTORE to allow
> using clone3() with set_tid set.
> 
> Signed-off-by: Adrian Reber <areber@redhat.com>
> Signed-off-by: Nicolas Viennot <Nicolas.Viennot@twosigma.com>
> ---

Looks good!
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>

>  kernel/pid.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/pid.c b/kernel/pid.c
> index de9d29c41d77..a9cbab0194d9 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -199,7 +199,7 @@ struct pid *alloc_pid(struct pid_namespace *ns, pid_t *set_tid,
>  			if (tid != 1 && !tmp->child_reaper)
>  				goto out_free;
>  			retval = -EPERM;
> -			if (!ns_capable(tmp->user_ns, CAP_SYS_ADMIN))
> +			if (!checkpoint_restore_ns_capable(tmp->user_ns))
>  				goto out_free;
>  			set_tid_size--;
>  		}
> -- 
> 2.26.2
>