agp: remove uid comparison as security check
In the face of containers and user namespaces, a uid==0 check for security is not safe. Switch to a capability check. I'm not sure I picked the right capability, but this being AGP CAP_SYS_RAWIO seemed to make sense. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
This commit is contained in:
parent
1fa4db7d30
commit
62f29babbc
|
@ -689,7 +689,7 @@ static int agp_open(struct inode *inode, struct file *file)
|
|||
set_bit(AGP_FF_ALLOW_CLIENT, &priv->access_flags);
|
||||
priv->my_pid = current->pid;
|
||||
|
||||
if ((current->uid == 0) || (current->suid == 0)) {
|
||||
if (capable(CAP_SYS_RAWIO)) {
|
||||
/* Root priv, can be controller */
|
||||
set_bit(AGP_FF_ALLOW_CONTROLLER, &priv->access_flags);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue