[PATCH] RDMA/uverbs: Consider capability of the process that opens the file
Eric W. Biederman
ebiederm at xmission.com
Tue Apr 29 03:56:13 UTC 2025
"Eric W. Biederman" <ebiederm at xmission.com> writes:
> Jason Gunthorpe <jgg at nvidia.com> writes:
>
>> It sounds like we just totally ignore current->cred->user_ns from the
>> rdma subsystem perspective?
>
> Since you don't allow anything currently to happen in a user namespace
> that is completely reasonable.
>
> Once ns_capable checks start being added that changes.
My apologies I misspoke.
Where infiniband currently uses current->cred->user_ns is in calls to
"capable()".
That will continue if those calls are relaxed to "ns_capable()".
All of which makes sense fundamentally because the only place it
really makes sense to look at the credentials of a process is in
the permission checks.
Eric
More information about the Linux-security-module-archive
mailing list