Received: by 2002:a05:7412:9c07:b0:fa:6e18:a558 with SMTP id lr7csp771457rdb; Sun, 28 Jan 2024 08:13:54 -0800 (PST) X-Google-Smtp-Source: AGHT+IFosyQdP+djA6dfH2ifD7568JTYMtgr4K5Fwu0j1s5/5Q7rJRvoJpAbrNWmezPFEyIeIC1O X-Received: by 2002:a17:903:2290:b0:1d7:2d68:ceea with SMTP id b16-20020a170903229000b001d72d68ceeamr1794406plh.83.1706458434304; Sun, 28 Jan 2024 08:13:54 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706458434; cv=pass; d=google.com; s=arc-20160816; b=I9Z+orti00xmg1u6ukC7EfDunnFor5MYDSlZkrEloeyINFigf/KqtOSrtAaz99eqh0 1DtdljRgr6RR4+kel5T+oq850XcUcOiMZfPTt2g5EOPpOOiulMqDEJ0HfXLlgnX9Nmvh 2EQDD1UNo5p2EK7dhoNnznMo93Eic7IfKu6uU/rAQ92VuTDhH7AXYoUJBz4sA7kXtL4w K2eXiNfjGsXMqwhmhZTEDlFRHzrY/dgR8sOfgTghslNC+FWU9J65OcbZyeXSyAkRo48Y LCF6dnBohe5eSL7lV09UYPkhTSUhr9lcTIhrwS4I3uxGxbTC9pz0C3spoklb1UWCIp9Y YcCA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=nxRQp8Kaj+/ranF/1Xy6r9NR56pADbpkuKUcenLLCKI=; fh=nFhKLwmSKnQ9KLoYDpiPdMc9Ywd5CM3LEuMkctOqa9o=; b=DCIfxsY9hWR5jKJu3iPQM54xcklOHwYnLF5UEOW5NLFZtpA7BiISfGQvKO9arNoo17 KNhBS4H4bAZv+akSXxMo9yBDm0QFmVugmzmJz/BLnDlrEr8kJp5xoVRkOrs0/upEckf3 gcmn6mK1N6swQRScMHfp+Y2wqtd0/HiidxlkzwAg0SxHNnYlATNWsDweUnUtucFQFpCg +oUaA7487tsjXAKTWMev7Sg6r+4Y+MaYcajYY/FWAntC/LeQFIBCCtwey+qT0pGbTbox KxQOQE4WwGf3Cbv3ekf8qKMgCCjaWmcBclFJRhBjhOoLMfck14knnbnh92HKBktfDzhV Lqbw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cxrW5Sjr; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-41691-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41691-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id p22-20020a170902b09600b001d6fb87b11csi4191175plr.265.2024.01.28.08.13.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Jan 2024 08:13:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-41691-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cxrW5Sjr; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-41691-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-41691-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id EFD61282222 for ; Sun, 28 Jan 2024 16:13:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id ADE762C6BA; Sun, 28 Jan 2024 16:11:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="cxrW5Sjr" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF13D2E859; Sun, 28 Jan 2024 16:11:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706458307; cv=none; b=srhtViDOQKYdpWUyIQsf07F0TAioOxITSqW7R4xITn7RKc86oY5i2EeFJGp6emC8ysCD6q34YhfTgYJy42IO/scI6TbLylkx8GBxn3cEo3BdF3wzQvd4dTj10v69coFDM5HJvkmbpe1axrXIMjBbOZIeI4CnCHnGocNNSeUsodU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706458307; c=relaxed/simple; bh=8GsaSRSpBbUFIUJRDwnv2uLOoYAWgl+p8B2HJ2fIT6k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IjlG6P4M+x8k/5kChxIWmHB7t9isuVLAkd0JgPaffwoDCHfv6RIn3588/2PShWp8IUO5TI0KVK+7MjDVQDCx909vxBnA1Wa2NI0NN0iH5iDcGEXbRjKOl50sqm2QwD8ITJzNqwWlrAyFo4sJIfVASuSHPbbMLamvOqGdCD6HG3c= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=cxrW5Sjr; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id AADCCC433F1; Sun, 28 Jan 2024 16:11:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1706458307; bh=8GsaSRSpBbUFIUJRDwnv2uLOoYAWgl+p8B2HJ2fIT6k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cxrW5Sjr2ZC3QsoVdb6cC5yzvSRI+IuI2PGStSTBiXTjZomGn2OoIyLxEZtph9AP1 EUQ3hDkAE7RcJrxOB17eLY509waR/znvZpXSLBCB1DHi3x3MCGLZXYI6ERdboviujb qcbdZAi2wJwOP81yeuc+JkzAhJ2DzRGeEo05OYcH1RPCKlVlkPgUke0f28Ytdfco8P +W1gHZhasB6OV0TMti2iVJTqwCqHKG4dSMVO/zZstlZIR3CBwZmJWdgLug7YNM7uIi u/JL5KNP40Dt0f+CXAHK2+ffj5TIgKjd3vCEhxjxUZnKmfoMcubH/KKZD67HPKQYk9 uMI/TrfjR6DxA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Adrian Reber , Christian Brauner , Andrei Vagin , Greg Kroah-Hartman , Sasha Levin , jirislaby@kernel.org, linux-serial@vger.kernel.org Subject: [PATCH AUTOSEL 6.7 09/39] tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE Date: Sun, 28 Jan 2024 11:10:29 -0500 Message-ID: <20240128161130.200783-9-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240128161130.200783-1-sashal@kernel.org> References: <20240128161130.200783-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.7.2 Content-Transfer-Encoding: 8bit From: Adrian Reber [ Upstream commit e0f25b8992345aa5f113da2815f5add98738c611 ] The capability CAP_CHECKPOINT_RESTORE was introduced to allow non-root users to checkpoint and restore processes as non-root with CRIU. This change extends CAP_CHECKPOINT_RESTORE to enable the CRIU option '--shell-job' as non-root. CRIU's man-page describes the '--shell-job' option like this: Allow one to dump shell jobs. This implies the restored task will inherit session and process group ID from the criu itself. This option also allows to migrate a single external tty connection, to migrate applications like top. TIOCSLCKTRMIOS can only be done if the process has CAP_SYS_ADMIN and this change extends it to CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE. With this change it is possible to checkpoint and restore processes which have a tty connection as non-root if CAP_CHECKPOINT_RESTORE is set. Acked-by: Christian Brauner Signed-off-by: Adrian Reber Acked-by: Andrei Vagin Link: https://lore.kernel.org/r/20231208143656.1019-1-areber@redhat.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/tty/tty_ioctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c index 4b499301a3db..85de90eebc7b 100644 --- a/drivers/tty/tty_ioctl.c +++ b/drivers/tty/tty_ioctl.c @@ -844,7 +844,7 @@ int tty_mode_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg) ret = -EFAULT; return ret; case TIOCSLCKTRMIOS: - if (!capable(CAP_SYS_ADMIN)) + if (!checkpoint_restore_ns_capable(&init_user_ns)) return -EPERM; copy_termios_locked(real_tty, &kterm); if (user_termios_to_kernel_termios(&kterm, @@ -861,7 +861,7 @@ int tty_mode_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg) ret = -EFAULT; return ret; case TIOCSLCKTRMIOS: - if (!capable(CAP_SYS_ADMIN)) + if (!checkpoint_restore_ns_capable(&init_user_ns)) return -EPERM; copy_termios_locked(real_tty, &kterm); if (user_termios_to_kernel_termios_1(&kterm, -- 2.43.0