On Fri, Feb 01, 2013 at 11:59:03AM +0800, Gao feng wrote: > On 2013/02/01 11:46, Matt Helsley wrote: > > On Fri, Feb 01, 2013 at 10:30:59AM +0800, Gao feng wrote: > >> since the mdb table is belong to bridge device,and the > >> bridge device can only be seen in one netns. > >> So it's safe to allow unprivileged user which is the > >> creator of userns and netns to modify the mdb table. > >> > >> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx> > >> --- > >> net/bridge/br_mdb.c | 3 --- > >> 1 file changed, 3 deletions(-) > >> > >> diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c > >> index acc9f4c..38991e0 100644 > >> --- a/net/bridge/br_mdb.c > >> +++ b/net/bridge/br_mdb.c > >> @@ -272,9 +272,6 @@ static int br_mdb_parse(struct sk_buff *skb, struct nlmsghdr *nlh, > >> struct net_device *dev; > >> int err; > >> > >> - if (!capable(CAP_NET_ADMIN)) > >> - return -EPERM; > >> - > > > > I'm wondering why this doesn't follow the: > > > > ... > > - if (!capable(CAP_NET_ADMIN)) > > + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) > > > > pattern like the rest of the changes you provided. Perhaps I'm > > neglecting something but it looks wrong to remove the CAP_NET_ADMIN > > check entirely. > > > > rtnetlink_rcv_msg has done this job,in commit dfc47ef8639facd77210e74be831943c2fdd9c74 > Eric change capable to ns_capable in rtnetlink_rcv_msg and Push capable(CAP_NET_ADMIN) > into the rtnl methods.So we only need to do is remove this capable in br_mdb_parse. > > Thanks! OK, thanks! Cheers, -Matt _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
