The patch titled tun/tap: allow group ownership of TUN/TAP devices has been added to the -mm tree. Its filename is tun-tap-allow-group-ownership-of-tun-tap-devices.patch *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find out what to do about this ------------------------------------------------------ Subject: tun/tap: allow group ownership of TUN/TAP devices From: Guido Guenther <agx@xxxxxxxxxxx> Jeff Dike <jdike@xxxxxxxxxxx> says: I received from Guido Guenther the patch below to the TUN/TAP driver which allows group ownerships to be effective. It seems reasonable to me. Allow tun ownership by group. We found this useful since we can then spawn tapX devices on system boot (via /etc/network/interfaces) which logged on users can then use for their virtual machines. We introduced a new ioctl for the group setting. The user now is allowed to send packages if either his euid or his egid matches the one specified via tunctl (via -u or -g respecitvely). If both gid and uid are set via tunctl, both have to match. Acked-by: Max Krasnyansky <maxk@xxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- drivers/net/tun.c | 15 +++++++++++++-- include/linux/if_tun.h | 2 ++ 2 files changed, 15 insertions(+), 2 deletions(-) diff -puN drivers/net/tun.c~tun-tap-allow-group-ownership-of-tun-tap-devices drivers/net/tun.c --- a/drivers/net/tun.c~tun-tap-allow-group-ownership-of-tun-tap-devices +++ a/drivers/net/tun.c @@ -432,6 +432,7 @@ static void tun_setup(struct net_device init_waitqueue_head(&tun->read_wait); tun->owner = -1; + tun->group = -1; SET_MODULE_OWNER(dev); dev->open = tun_net_open; @@ -467,8 +468,11 @@ static int tun_set_iff(struct file *file return -EBUSY; /* Check permissions */ - if (tun->owner != -1 && - current->euid != tun->owner && !capable(CAP_NET_ADMIN)) + if (((tun->owner != -1 && + current->euid != tun->owner) || + (tun->group != -1 && + current->egid != tun->group)) && + !capable(CAP_NET_ADMIN)) return -EPERM; } else if (__dev_get_by_name(ifr->ifr_name)) @@ -610,6 +614,13 @@ static int tun_chr_ioctl(struct inode *i DBG(KERN_INFO "%s: owner set to %d\n", tun->dev->name, tun->owner); break; + case TUNSETGROUP: + /* Set group of the device */ + tun->group= (gid_t) arg; + + DBG(KERN_INFO "%s: group set to %d\n", tun->dev->name, tun->group); + break; + case TUNSETLINK: /* Only allow setting the type when the interface is down */ if (tun->dev->flags & IFF_UP) { diff -puN include/linux/if_tun.h~tun-tap-allow-group-ownership-of-tun-tap-devices include/linux/if_tun.h --- a/include/linux/if_tun.h~tun-tap-allow-group-ownership-of-tun-tap-devices +++ a/include/linux/if_tun.h @@ -36,6 +36,7 @@ struct tun_struct { unsigned long flags; int attached; uid_t owner; + gid_t group; wait_queue_head_t read_wait; struct sk_buff_head readq; @@ -78,6 +79,7 @@ struct tun_struct { #define TUNSETPERSIST _IOW('T', 203, int) #define TUNSETOWNER _IOW('T', 204, int) #define TUNSETLINK _IOW('T', 205, int) +#define TUNSETGROUP _IOW('T', 206, int) /* TUNSETIFF ifr flags */ #define IFF_TUN 0x0001 _ Patches currently in -mm which might be from agx@xxxxxxxxxxx are tun-tap-allow-group-ownership-of-tun-tap-devices.patch - To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html