Glauber Costa <glommer@xxxxxxxxxxxxx> writes: > On 11/16/2012 05:03 PM, Eric W. Biederman wrote: >> + if (!capable(CAP_NET_ADMIN)) >> + return -EPERM; >> + >> return netdev_store(dev, attr, buf, len, change_tx_queue_len); > > You mean ns_capable here? No. There I meant capable. I deliberately call capable here because I don't understand what the tx_queue_len well enough to be certain it is safe to relax that check to be just ns_capable. My get feel is that allowing an unprivileged user to be able to arbitrarily change the tx_queue_len on a networking device would be a nice way to allow queuing as many network packets as you would like with kernel memory and DOSing the machine. So since with a quick read of the code I could not convince myself it was safe to allow unprivilged users to change tx_queue_len I left it protected by capable. While at the same time I relaxed the check in netdev_store to be ns_capable. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
