[PATCH] RDMA/uverbs: Consider capability of the process that opens the file
Parav Pandit
parav at nvidia.com
Tue Apr 29 10:39:39 UTC 2025
> From: Eric W. Biederman <ebiederm at xmission.com>
> Sent: Monday, April 28, 2025 10:34 PM
[..]
> > I said "user_ns of the netns"? Credentials of the process is
> > something else?
>
> Exactly the credentials of the a process are not:
> current->nsproxy->net_ns->user_ns; /* Not this */
>
> The credentials of a process are:
> current->cred; /* This */
>
> With current->cred->user_ns the current processes user namespace.
>
I am confused with your above response.
In response [1], you described that net ns is the resource,
hence resource's user namespace is considered.
And your response [1] also aligns to existing code of [2] and many similar conversions done by your commit 276996fda0f33.
[1] https://lore.kernel.org/linux-rdma/87ikmnd3j6.fsf@email.froward.int.ebiederm.org/T/#me5983d8248de0ff9670644c57d71009debaedd6f
[2] https://elixir.bootlin.com/linux/v6.14.3/source/net/ipv4/af_inet.c#L314
So in infiniband, when I replace existing capable() with ns_capable(),
shouldn't I use current->nsproxy->net_ns->user_ns following [1] and [2], because for infiniband too, the resource is net namespace.
More information about the Linux-security-module-archive
mailing list