From: Greg Kroah-Hartman Date: Tue, 12 Feb 2019 08:48:32 +0000 (+0100) Subject: drop fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch X-Git-Tag: v4.9.156~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0062f054d812ba5271bfd821cbc737e867ed60a0;p=thirdparty%2Fkernel%2Fstable-queue.git drop fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch --- diff --git a/queue-4.14/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch b/queue-4.14/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch deleted file mode 100644 index 459aacc3aab..00000000000 --- a/queue-4.14/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 4a43f992c7ec4eaadf1b36b1614c5e1c3f3841e1 Mon Sep 17 00:00:00 2001 -From: Benjamin Gordon -Date: Thu, 3 Jan 2019 15:25:56 -0800 -Subject: fs/proc/base.c: use ns_capable instead of capable for timerslack_ns - -[ Upstream commit 8da0b4f692c6d90b09c91f271517db746a22ff67 ] - -Access to timerslack_ns is controlled by a process having CAP_SYS_NICE -in its effective capability set, but the current check looks in the root -namespace instead of the process' user namespace. Since a process is -allowed to do other activities controlled by CAP_SYS_NICE inside a -namespace, it should also be able to adjust timerslack_ns. - -Link: http://lkml.kernel.org/r/20181030180012.232896-1-bmgordon@google.com -Signed-off-by: Benjamin Gordon -Acked-by: "Eric W. Biederman" -Cc: John Stultz -Cc: "Eric W. Biederman" -Cc: Kees Cook -Cc: "Serge E. Hallyn" -Cc: Thomas Gleixner -Cc: Arjan van de Ven -Cc: Oren Laadan -Cc: Ruchi Kandoi -Cc: Rom Lemarchand -Cc: Todd Kjos -Cc: Colin Cross -Cc: Nick Kralevich -Cc: Dmitry Shmidt -Cc: Elliott Hughes -Cc: Alexey Dobriyan -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - fs/proc/base.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 9063738ff1f0..e26155a97afa 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -2374,10 +2374,13 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf, - return -ESRCH; - - if (p != current) { -- if (!capable(CAP_SYS_NICE)) { -+ rcu_read_lock(); -+ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { -+ rcu_read_unlock(); - count = -EPERM; - goto out; - } -+ rcu_read_unlock(); - - err = security_task_setscheduler(p); - if (err) { -@@ -2410,11 +2413,14 @@ static int timerslack_ns_show(struct seq_file *m, void *v) - return -ESRCH; - - if (p != current) { -- -- if (!capable(CAP_SYS_NICE)) { -+ rcu_read_lock(); -+ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { -+ rcu_read_unlock(); - err = -EPERM; - goto out; - } -+ rcu_read_unlock(); -+ - err = security_task_getscheduler(p); - if (err) - goto out; --- -2.19.1 - diff --git a/queue-4.14/series b/queue-4.14/series index 9c554806d67..a7ba92a692f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -153,7 +153,6 @@ thermal-bcm2835-enable-hwmon-explicitly.patch kdb-don-t-back-trace-on-a-cpu-that-didn-t-round-up.patch thermal-generic-adc-fix-adc-to-temp-interpolation.patch hid-lenovo-add-checks-to-fix-of_led_classdev_registe.patch -fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch kernel-hung_task.c-force-console-verbose-before-pani.patch diff --git a/queue-4.19/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch b/queue-4.19/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch deleted file mode 100644 index 3d61d17c631..00000000000 --- a/queue-4.19/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 2c958c7aae5c4f565afc38d4851650552d933235 Mon Sep 17 00:00:00 2001 -From: Benjamin Gordon -Date: Thu, 3 Jan 2019 15:25:56 -0800 -Subject: fs/proc/base.c: use ns_capable instead of capable for timerslack_ns - -[ Upstream commit 8da0b4f692c6d90b09c91f271517db746a22ff67 ] - -Access to timerslack_ns is controlled by a process having CAP_SYS_NICE -in its effective capability set, but the current check looks in the root -namespace instead of the process' user namespace. Since a process is -allowed to do other activities controlled by CAP_SYS_NICE inside a -namespace, it should also be able to adjust timerslack_ns. - -Link: http://lkml.kernel.org/r/20181030180012.232896-1-bmgordon@google.com -Signed-off-by: Benjamin Gordon -Acked-by: "Eric W. Biederman" -Cc: John Stultz -Cc: "Eric W. Biederman" -Cc: Kees Cook -Cc: "Serge E. Hallyn" -Cc: Thomas Gleixner -Cc: Arjan van de Ven -Cc: Oren Laadan -Cc: Ruchi Kandoi -Cc: Rom Lemarchand -Cc: Todd Kjos -Cc: Colin Cross -Cc: Nick Kralevich -Cc: Dmitry Shmidt -Cc: Elliott Hughes -Cc: Alexey Dobriyan -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - fs/proc/base.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 7e9f07bf260d..5bdcf2159ff0 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -2356,10 +2356,13 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf, - return -ESRCH; - - if (p != current) { -- if (!capable(CAP_SYS_NICE)) { -+ rcu_read_lock(); -+ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { -+ rcu_read_unlock(); - count = -EPERM; - goto out; - } -+ rcu_read_unlock(); - - err = security_task_setscheduler(p); - if (err) { -@@ -2392,11 +2395,14 @@ static int timerslack_ns_show(struct seq_file *m, void *v) - return -ESRCH; - - if (p != current) { -- -- if (!capable(CAP_SYS_NICE)) { -+ rcu_read_lock(); -+ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { -+ rcu_read_unlock(); - err = -EPERM; - goto out; - } -+ rcu_read_unlock(); -+ - err = security_task_getscheduler(p); - if (err) - goto out; --- -2.19.1 - diff --git a/queue-4.19/series b/queue-4.19/series index 9daf7a57a82..dc6e593a883 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -233,7 +233,6 @@ pci-imx-enable-msi-from-downstream-components.patch thermal-generic-adc-fix-adc-to-temp-interpolation.patch hid-lenovo-add-checks-to-fix-of_led_classdev_registe.patch arm64-sve-ptrace-fix-sve_pt_regs_offset-definition.patch -fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch kernel-hung_task.c-force-console-verbose-before-pani.patch diff --git a/queue-4.20/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch b/queue-4.20/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch deleted file mode 100644 index 36a8e0b356f..00000000000 --- a/queue-4.20/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 3152c5232570b2d8b57bf8edfbe594c76c46e139 Mon Sep 17 00:00:00 2001 -From: Benjamin Gordon -Date: Thu, 3 Jan 2019 15:25:56 -0800 -Subject: fs/proc/base.c: use ns_capable instead of capable for timerslack_ns - -[ Upstream commit 8da0b4f692c6d90b09c91f271517db746a22ff67 ] - -Access to timerslack_ns is controlled by a process having CAP_SYS_NICE -in its effective capability set, but the current check looks in the root -namespace instead of the process' user namespace. Since a process is -allowed to do other activities controlled by CAP_SYS_NICE inside a -namespace, it should also be able to adjust timerslack_ns. - -Link: http://lkml.kernel.org/r/20181030180012.232896-1-bmgordon@google.com -Signed-off-by: Benjamin Gordon -Acked-by: "Eric W. Biederman" -Cc: John Stultz -Cc: "Eric W. Biederman" -Cc: Kees Cook -Cc: "Serge E. Hallyn" -Cc: Thomas Gleixner -Cc: Arjan van de Ven -Cc: Oren Laadan -Cc: Ruchi Kandoi -Cc: Rom Lemarchand -Cc: Todd Kjos -Cc: Colin Cross -Cc: Nick Kralevich -Cc: Dmitry Shmidt -Cc: Elliott Hughes -Cc: Alexey Dobriyan -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - fs/proc/base.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/fs/proc/base.c b/fs/proc/base.c -index ce3465479447..98525af0953e 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -2356,10 +2356,13 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf, - return -ESRCH; - - if (p != current) { -- if (!capable(CAP_SYS_NICE)) { -+ rcu_read_lock(); -+ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { -+ rcu_read_unlock(); - count = -EPERM; - goto out; - } -+ rcu_read_unlock(); - - err = security_task_setscheduler(p); - if (err) { -@@ -2392,11 +2395,14 @@ static int timerslack_ns_show(struct seq_file *m, void *v) - return -ESRCH; - - if (p != current) { -- -- if (!capable(CAP_SYS_NICE)) { -+ rcu_read_lock(); -+ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { -+ rcu_read_unlock(); - err = -EPERM; - goto out; - } -+ rcu_read_unlock(); -+ - err = security_task_getscheduler(p); - if (err) - goto out; --- -2.19.1 - diff --git a/queue-4.20/series b/queue-4.20/series index ea2d9d11412..751b1a7cac0 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -274,7 +274,6 @@ block-swim3-fix-regression-on-powerbook-g3.patch thermal-generic-adc-fix-adc-to-temp-interpolation.patch hid-lenovo-add-checks-to-fix-of_led_classdev_registe.patch arm64-sve-ptrace-fix-sve_pt_regs_offset-definition.patch -fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch kernel-hung_task.c-force-console-verbose-before-pani.patch diff --git a/queue-4.9/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch b/queue-4.9/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch deleted file mode 100644 index 0499a963403..00000000000 --- a/queue-4.9/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 161c6ea33a40f3775d2af91f3ae20c89048a3c19 Mon Sep 17 00:00:00 2001 -From: Benjamin Gordon -Date: Thu, 3 Jan 2019 15:25:56 -0800 -Subject: fs/proc/base.c: use ns_capable instead of capable for timerslack_ns - -[ Upstream commit 8da0b4f692c6d90b09c91f271517db746a22ff67 ] - -Access to timerslack_ns is controlled by a process having CAP_SYS_NICE -in its effective capability set, but the current check looks in the root -namespace instead of the process' user namespace. Since a process is -allowed to do other activities controlled by CAP_SYS_NICE inside a -namespace, it should also be able to adjust timerslack_ns. - -Link: http://lkml.kernel.org/r/20181030180012.232896-1-bmgordon@google.com -Signed-off-by: Benjamin Gordon -Acked-by: "Eric W. Biederman" -Cc: John Stultz -Cc: "Eric W. Biederman" -Cc: Kees Cook -Cc: "Serge E. Hallyn" -Cc: Thomas Gleixner -Cc: Arjan van de Ven -Cc: Oren Laadan -Cc: Ruchi Kandoi -Cc: Rom Lemarchand -Cc: Todd Kjos -Cc: Colin Cross -Cc: Nick Kralevich -Cc: Dmitry Shmidt -Cc: Elliott Hughes -Cc: Alexey Dobriyan -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Sasha Levin ---- - fs/proc/base.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 79702d405ba7..f73de326c630 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -2337,10 +2337,13 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf, - return -ESRCH; - - if (p != current) { -- if (!capable(CAP_SYS_NICE)) { -+ rcu_read_lock(); -+ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { -+ rcu_read_unlock(); - count = -EPERM; - goto out; - } -+ rcu_read_unlock(); - - err = security_task_setscheduler(p); - if (err) { -@@ -2373,11 +2376,14 @@ static int timerslack_ns_show(struct seq_file *m, void *v) - return -ESRCH; - - if (p != current) { -- -- if (!capable(CAP_SYS_NICE)) { -+ rcu_read_lock(); -+ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { -+ rcu_read_unlock(); - err = -EPERM; - goto out; - } -+ rcu_read_unlock(); -+ - err = security_task_getscheduler(p); - if (err) - goto out; --- -2.19.1 - diff --git a/queue-4.9/series b/queue-4.9/series index 9c50e6fe774..72601b5ba00 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -94,7 +94,6 @@ fsl-fman-use-gfp_atomic-in-memac-tgec-_add_hash_mac_.patch block-swim3-fix-ebusy-error-when-re-opening-device-a.patch thermal-generic-adc-fix-adc-to-temp-interpolation.patch hid-lenovo-add-checks-to-fix-of_led_classdev_registe.patch -fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch fs-epoll-drop-ovflist-branch-prediction.patch