diff options
| author | James Morris <jmorris@namei.org> | 2008-11-26 10:56:44 +0530 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-11-26 10:56:44 +0530 |
| commit | 3496f92beb9aa99ef21fccc154a36c7698e9c538 (patch) | |
| tree | 2492602c6316b654378c3b557e206923956e59f4 /kernel/fork.c | |
| parent | 200036ca9b3f0b2250912142552ce56682190f95 (diff) | |
| parent | 6ded6ab9be4f6164aef1c527407c1b94f0929799 (diff) | |
Merge branch 'serge-next' into next
Diffstat (limited to 'kernel/fork.c')
| -rw-r--r-- | kernel/fork.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/kernel/fork.c b/kernel/fork.c index 29c18c14812d..1dd89451fae4 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -976,7 +976,7 @@ static struct task_struct *copy_process(unsigned long clone_flags, if (atomic_read(&p->real_cred->user->processes) >= p->signal->rlim[RLIMIT_NPROC].rlim_cur) { if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) && - p->real_cred->user != current->nsproxy->user_ns->root_user) + p->real_cred->user != INIT_USER) goto bad_fork_free; } @@ -1335,6 +1335,20 @@ long do_fork(unsigned long clone_flags, long nr; /* + * Do some preliminary argument and permissions checking before we + * actually start allocating stuff + */ + if (clone_flags & CLONE_NEWUSER) { + if (clone_flags & CLONE_THREAD) + return -EINVAL; + /* hopefully this check will go away when userns support is + * complete + */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + } + + /* * We hope to recycle these flags after 2.6.26 */ if (unlikely(clone_flags & CLONE_STOPPED)) { @@ -1581,8 +1595,7 @@ asmlinkage long sys_unshare(unsigned long unshare_flags) err = -EINVAL; if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND| CLONE_VM|CLONE_FILES|CLONE_SYSVSEM| - CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER| - CLONE_NEWNET)) + CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET)) goto bad_unshare_out; /* |