On 2013/02/01 11:46, Matt Helsley wrote: > On Fri, Feb 01, 2013 at 10:30:59AM +0800, Gao feng wrote: >> since the mdb table is belong to bridge device,and the >> bridge device can only be seen in one netns. >> So it's safe to allow unprivileged user which is the >> creator of userns and netns to modify the mdb table. >> >> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx> >> --- >> net/bridge/br_mdb.c | 3 --- >> 1 file changed, 3 deletions(-) >> >> diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c >> index acc9f4c..38991e0 100644 >> --- a/net/bridge/br_mdb.c >> +++ b/net/bridge/br_mdb.c >> @@ -272,9 +272,6 @@ static int br_mdb_parse(struct sk_buff *skb, struct nlmsghdr *nlh, >> struct net_device *dev; >> int err; >> >> - if (!capable(CAP_NET_ADMIN)) >> - return -EPERM; >> - > > I'm wondering why this doesn't follow the: > > ... > - if (!capable(CAP_NET_ADMIN)) > + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) > > pattern like the rest of the changes you provided. Perhaps I'm > neglecting something but it looks wrong to remove the CAP_NET_ADMIN > check entirely. > rtnetlink_rcv_msg has done this job,in commit dfc47ef8639facd77210e74be831943c2fdd9c74 Eric change capable to ns_capable in rtnetlink_rcv_msg and Push capable(CAP_NET_ADMIN) into the rtnl methods.So we only need to do is remove this capable in br_mdb_parse. Thanks! _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
