On Fri, Feb 01, 2013 at 10:30:59AM +0800, Gao feng wrote: > since the mdb table is belong to bridge device,and the > bridge device can only be seen in one netns. > So it's safe to allow unprivileged user which is the > creator of userns and netns to modify the mdb table. > > Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx> > --- > net/bridge/br_mdb.c | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c > index acc9f4c..38991e0 100644 > --- a/net/bridge/br_mdb.c > +++ b/net/bridge/br_mdb.c > @@ -272,9 +272,6 @@ static int br_mdb_parse(struct sk_buff *skb, struct nlmsghdr *nlh, > struct net_device *dev; > int err; > > - if (!capable(CAP_NET_ADMIN)) > - return -EPERM; > - I'm wondering why this doesn't follow the: ... - if (!capable(CAP_NET_ADMIN)) + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) pattern like the rest of the changes you provided. Perhaps I'm neglecting something but it looks wrong to remove the CAP_NET_ADMIN check entirely. Cheers, -Matt Helsley _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
