If a connection proxies a uid, we should make sure to perform accounting on that passed uid. Otherwise, limits will be shared across all proxied users (or we'd require the proxy to run setuid() and thus require CAP_SETUID). However, this is only allowed if the proxy is privileged on the bus. That is, it must have CAP_IPC_ADMIN on the domain and the passed uid must be mapped in that domain.
Signed-off-by: David Herrmann <[email protected]> --- ipc/kdbus/connection.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c index 243cbc7..c81888e 100644 --- a/ipc/kdbus/connection.c +++ b/ipc/kdbus/connection.c @@ -237,11 +237,21 @@ static struct kdbus_conn *kdbus_conn_new(struct kdbus_ep *ep, * Note that limits are always accounted against the real UID, not * the effective UID (cred->user always points to the accounting of * cred->uid, not cred->euid). + * In case the caller is privileged, we allow changing the accounting + * to the faked user. */ if (ep->user) { conn->user = kdbus_user_ref(ep->user); } else { - conn->user = kdbus_user_lookup(ep->bus->domain, current_uid()); + kuid_t uid; + + if (conn->meta_fake && uid_valid(conn->meta_fake->uid) && + conn->privileged) + uid = conn->meta_fake->uid; + else + uid = conn->cred->uid; + + conn->user = kdbus_user_lookup(ep->bus->domain, uid); if (IS_ERR(conn->user)) { ret = PTR_ERR(conn->user); conn->user = NULL; -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
