diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2014-12-05 17:19:27 -0600 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2014-12-05 17:19:27 -0600 |
| commit | 7ff4d90b4c24a03666f296c3d4878cd39001e81e (patch) | |
| tree | 757293c98c93eec1c5b7caae149c34e49bb824c5 /kernel/groups.c | |
| parent | 4fed655c410cc56add64c7b1f7c85c7c56066ac2 (diff) | |
| download | linux-7ff4d90b4c24a03666f296c3d4878cd39001e81e.tar.gz | |
groups: Consolidate the setgroups permission checks
Today there are 3 instances of setgroups and due to an oversight their permission checking has diverged. Add a common function so that they may all share the same permission checking code. This corrects the current oversight in the current permission checks and adds a helper to avoid this in the future. A user namespace security fix will update this new helper, shortly. Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'kernel/groups.c')
| -rw-r--r-- | kernel/groups.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/kernel/groups.c b/kernel/groups.c index 451698f86cfa..02d8a251c476 100644 --- a/kernel/groups.c +++ b/kernel/groups.c @@ -213,6 +213,13 @@ out: return i; } +bool may_setgroups(void) +{ + struct user_namespace *user_ns = current_user_ns(); + + return ns_capable(user_ns, CAP_SETGID); +} + /* * SMP: Our groups are copy-on-write. We can set them safely * without another task interfering. @@ -223,7 +230,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist) struct group_info *group_info; int retval; - if (!ns_capable(current_user_ns(), CAP_SETGID)) + if (!may_setgroups()) return -EPERM; if ((unsigned)gidsetsize > NGROUPS_MAX) return -EINVAL; |