Le mardi 12 juillet 2011 à 23:30 +0000, Serge Hallyn a écrit :
> From: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>
>
> netlink_capable should check for permissions against the user
> namespace owning the socket in question.
>
> Signed-off-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxxxxx>
> Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> ---
> net/netlink/af_netlink.c | 11 +++++++++--
> 1 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 6ef64ad..81c1099 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -580,8 +580,15 @@ retry:
>
> static inline int netlink_capable(struct socket *sock, unsigned int flag)
> {
> - return (nl_table[sock->sk->sk_protocol].nl_nonroot & flag) ||
> - capable(CAP_NET_ADMIN);
> + struct net *net;
> + if (nl_table[sock->sk->sk_protocol].nl_nonroot & flag)
> + return 1;
> +#ifdef CONFIG_NET_NS
> + net = sock->sk->sk_net;
> +#else
> + net = &init_net;
> +#endif
This is really ugly, please use :
net = sock_net(sk);
And no more #ifdef
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
