[RFC PATCH 08/14] af_netlink.c: make netlink_capable userns-aware

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>

netlink_capable should check for permissions against the user
namespace owning the socket in question.

Signed-off-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>
Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
---
 net/netlink/af_netlink.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 6ef64ad..81c1099 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -580,8 +580,15 @@ retry:
 
 static inline int netlink_capable(struct socket *sock, unsigned int flag)
 {
-	return (nl_table[sock->sk->sk_protocol].nl_nonroot & flag) ||
-	       capable(CAP_NET_ADMIN);
+	struct net *net;
+	if (nl_table[sock->sk->sk_protocol].nl_nonroot & flag)
+		return 1;
+#ifdef CONFIG_NET_NS
+	net = sock->sk->sk_net;
+#else
+	net = &init_net;
+#endif
+	return ns_capable(net->user_ns, CAP_NET_ADMIN);
 }
 
 static void
-- 
1.7.4.1

_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux