On Tue, Jul 09, 2019 at 05:28:35PM +0200, Ondrej Mosnacek wrote: > > I admit I'm not an expert on Linux namespaces, but aren't you > confusing network and user namespaces? Unless I'm mistaken, these > changes only affect _network_ namespaces (which only isolate the > network stuff itself) and the semantics of the netlink_capable(skb, > CAP_NET_ADMIN) calls remain unchanged - they check if the opener of > the socket has the CAP_NET_ADMIN capability within the global _user_ > namespace. Good point. I think your patch should be OK then. Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
