Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
prctl: Allow local CAP_SYS_ADMIN changing exe_file
During checkpointing and restore of userspace tasks we bumped into the situation, that it's not possible to restore the tasks, which user namespace does not have uid 0 or gid 0 mapped. People create user namespace mappings like they want, and there is no a limitation on obligatory uid and gid "must be mapped". So, if there is no uid 0 or gid 0 in the mapping, it's impossible to restore mm->exe_file of the processes belonging to this user namespace. Also, there is no a workaround. It's impossible to create a temporary uid/gid mapping, because only one write to /proc/[pid]/uid_map and gid_map is allowed during a namespace lifetime. If there is an entry, then no more mapings can't be written. If there isn't an entry, we can't write there too, otherwise user task won't be able to do that in the future. The patch changes the check, and looks for CAP_SYS_ADMIN instead of zero uid and gid. This allows to restore a task independently of its user namespace mappings. Signed-off-by: Kirill Tkhai <[email protected]> CC: Andrew Morton <[email protected]> CC: Serge Hallyn <[email protected]> CC: "Eric W. Biederman" <[email protected]> CC: Oleg Nesterov <[email protected]> CC: Michal Hocko <[email protected]> CC: Andrei Vagin <[email protected]> CC: Cyrill Gorcunov <[email protected]> CC: Stanislav Kinsburskiy <[email protected]> CC: Pavel Tikhomirov <[email protected]> Reviewed-by: Cyrill Gorcunov <[email protected]> Signed-off-by: Eric W. Biederman <[email protected]>
- Loading branch information