Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 62f29bab authored by serue@us.ibm.com's avatar serue@us.ibm.com Committed by Dave Airlie
Browse files

agp: remove uid comparison as security check 



In the face of containers and user namespaces, a uid==0 check for
security is not safe.  Switch to a capability check.

I'm not sure I picked the right capability, but this being AGP
CAP_SYS_RAWIO seemed to make sense.

Signed-off-by: default avatarSerge Hallyn <serue@us.ibm.com>
Signed-off-by: default avatarDave Airlie <airlied@linux.ie>
parent 1fa4db7d

drivers/char/agp/frontend.c

+1 −1
Original line number Diff line number Diff line
@@ -689,7 +689,7 @@ static int agp_open(struct inode *inode, struct file *file) 
	set_bit(AGP_FF_ALLOW_CLIENT, &priv->access_flags);

	priv->my_pid = current->pid;



	if ((current->uid == 0) || (current->suid == 0)) {

	if (capable(CAP_SYS_RAWIO)) {

		/* Root priv, can be controller */

		set_bit(AGP_FF_ALLOW_CONTROLLER, &priv->access_flags);

	}