summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/fs
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/sentry/fs')
-rw-r--r--pkg/sentry/fs/inode.go5
-rw-r--r--pkg/sentry/fs/proc/README.md2
-rw-r--r--pkg/sentry/fs/proc/fds.go5
-rw-r--r--pkg/sentry/fs/proc/task.go2
4 files changed, 3 insertions, 11 deletions
diff --git a/pkg/sentry/fs/inode.go b/pkg/sentry/fs/inode.go
index 95769ccf8..38b140bd2 100644
--- a/pkg/sentry/fs/inode.go
+++ b/pkg/sentry/fs/inode.go
@@ -439,10 +439,7 @@ func (i *Inode) CheckOwnership(ctx context.Context) bool {
// CheckCapability checks whether `ctx` has capability `cp` with respect to
// operations on this Inode.
//
-// Compare Linux's kernel/capability.c:capable_wrt_inode_uidgid(). Note that
-// this function didn't exist in Linux 3.11.10, but was added by upstream
-// 23adbe12ef7d "fs,userns: Change inode_capable to capable_wrt_inode_uidgid"
-// to fix local privilege escalation CVE-2014-4014.
+// Compare Linux's kernel/capability.c:capable_wrt_inode_uidgid().
func (i *Inode) CheckCapability(ctx context.Context, cp linux.Capability) bool {
uattr, err := i.UnstableAttr(ctx)
if err != nil {
diff --git a/pkg/sentry/fs/proc/README.md b/pkg/sentry/fs/proc/README.md
index e1ed88512..686d40f0c 100644
--- a/pkg/sentry/fs/proc/README.md
+++ b/pkg/sentry/fs/proc/README.md
@@ -223,7 +223,7 @@ Number of seconds idle | Always zero
```bash
$ cat /proc/version
-Linux version 3.11.10 #1 SMP Fri Nov 29 10:47:50 PST 2013
+Linux version 4.4 #1 SMP Sun Jan 10 15:06:54 PST 2016
```
## Process-specific data
diff --git a/pkg/sentry/fs/proc/fds.go b/pkg/sentry/fs/proc/fds.go
index 5ebb33703..5acbce75e 100644
--- a/pkg/sentry/fs/proc/fds.go
+++ b/pkg/sentry/fs/proc/fds.go
@@ -173,11 +173,6 @@ func (f *fdDir) Check(ctx context.Context, inode *fs.Inode, req fs.PermMask) boo
if t := kernel.TaskFromContext(ctx); t != nil {
// Allow access if the task trying to access it is in the
// thread group corresponding to this directory.
- //
- // N.B. Technically, in Linux 3.11, this compares what would be
- // the equivalent of task pointers. However, this was fixed
- // later in 54708d2858e7 ("proc: actually make
- // proc_fd_permission() thread-friendly").
if f.t.ThreadGroup() == t.ThreadGroup() {
return true
}
diff --git a/pkg/sentry/fs/proc/task.go b/pkg/sentry/fs/proc/task.go
index 404faea0a..9f13ff91c 100644
--- a/pkg/sentry/fs/proc/task.go
+++ b/pkg/sentry/fs/proc/task.go
@@ -76,7 +76,7 @@ func newTaskDir(t *kernel.Task, msrc *fs.MountSource, pidns *kernel.PIDNamespace
"gid_map": newGIDMap(t, msrc),
// TODO: This is incorrect for /proc/[pid]/task/[tid]/io, i.e. if
// showSubtasks is false:
- // http://lxr.free-electrons.com/source/fs/proc/base.c?v=3.11#L2980
+ // https://elixir.bootlin.com/linux/v4.4/source/fs/proc/base.c#L3154
"io": newIO(t, msrc),
"maps": newMaps(t, msrc),
"mountinfo": seqfile.NewSeqFileInode(t, &mountInfoFile{t: t}, msrc),