From: Zhao Hongjiang <zhaohongjiang@xxxxxxxxxx>
HI:
When I use an unprivileged user exec the following command:
# nsexec -cUn /bin/bash
to create a container with new user_ns and net_ns.
Then I exec "echo 4096 4096 4096 > /proc/sys/net/ipv4/tcp_mem",
the result is Permission Denied which we hope it should be allowed.
It is because of capable(CAP_NET_ADMIN).
Even my unprivileged user have the CAP_NET_ADMIN in the new user_ns and the
tcp_mem is belong to the new net_ns, the capable(CAP_NET_ADMIN) checking is
that this must in the init_user_ns, so the result is the network administrator
can't have the same access as root.
Use nsown_capable(...) the problem is solved.
PS: I changed lxc almostly like what serge done, then use an unprivileged user
to start a container, several Permission Denied occur(such as mount), all this
is caused by capabale(...), when i use nsown_capable(...) the container is
running like everything is ok.
Is this capabale() methed is obsolete? If so, i'll send a new patch to solve
all this problems.
Signed-off-by: Zhao Hongjiang<zhaohongjiang@xxxxxxxxxx>
Signed-off-by: Huang Qiang <h.huangqiang@xxxxxxxxxx>
---
net/sysctl_net.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index c3e65ae..ee31777 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -47,7 +47,7 @@ static int net_ctl_permissions(struct ctl_table_root *root,
struct ctl_table *table)
{
/* Allow network administrator to have same access as root. */
- if (capable(CAP_NET_ADMIN)) {
+ if (nsown_capable(CAP_NET_ADMIN)) {
int mode = (table->mode >> 6) & 7;
return (mode << 6) | (mode << 3) | mode;
}
--
1.7.1
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
