Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit df008c91 authored Nov 16, 2012 by Eric W. Biederman Committed by David S. Miller Nov 18, 2012

net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm



Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.

Allow creation of af_key sockets.
Allow creation of llc sockets.
Allow creation of af_packet sockets.

Allow sending xfrm netlink control messages.

Allow binding to netlink multicast groups.
Allow sending to netlink multicast groups.
Allow adding and dropping netlink multicast groups.
Allow sending to all netlink multicast groups and port ids.

Allow reading the netfilter SO_IP_SET socket option.
Allow sending netfilter netlink messages.
Allow setting and getting ip_vs netfilter socket options.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent af31f412

net/key/af_key.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -141,7 +141,7 @@ static int pfkey_create(struct net net, struct socket sock, int protocol,
		struct sock *sk;
		int err;

		if (!capable(CAP_NET_ADMIN))
		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
		return -EPERM;
		if (sock->type != SOCK_RAW)
		return -ESOCKTNOSUPPORT;

net/llc/af_llc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -160,7 +160,7 @@ static int llc_ui_create(struct net net, struct socket sock, int protocol,
		struct sock *sk;
		int rc = -ESOCKTNOSUPPORT;

		if (!capable(CAP_NET_RAW))
		if (!ns_capable(net->user_ns, CAP_NET_RAW))
		return -EPERM;

		if (!net_eq(net, &init_net))

net/netfilter/ipset/ip_set_core.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1643,7 +1643,7 @@ ip_set_sockfn_get(struct sock sk, int optval, void __user user, int *len)
		void *data;
		int copylen = *len, ret = 0;

		if (!capable(CAP_NET_ADMIN))
		if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
		return -EPERM;
		if (optval != SO_IP_SET)
		return -EBADF;

net/netfilter/ipvs/ip_vs_ctl.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -2339,7 +2339,7 @@ do_ip_vs_set_ctl(struct sock sk, int cmd, void __user user, unsigned int len)
		struct ip_vs_dest_user_kern udest;
		struct netns_ipvs *ipvs = net_ipvs(net);

		if (!capable(CAP_NET_ADMIN))
		if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
		return -EPERM;

		if (cmd < IP_VS_BASE_CTL \|\| cmd > IP_VS_SO_SET_MAX)
		@@ -2632,7 +2632,7 @@ do_ip_vs_get_ctl(struct sock sk, int cmd, void __user user, int *len)
		struct netns_ipvs *ipvs = net_ipvs(net);

		BUG_ON(!net);
		if (!capable(CAP_NET_ADMIN))
		if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
		return -EPERM;

		if (cmd < IP_VS_BASE_CTL \|\| cmd > IP_VS_SO_GET_MAX)

net/netfilter/nfnetlink.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -138,7 +138,7 @@ static int nfnetlink_rcv_msg(struct sk_buff skb, struct nlmsghdr nlh)
		const struct nfnetlink_subsystem *ss;
		int type, err;

		if (!capable(CAP_NET_ADMIN))
		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
		return -EPERM;

		/* All the messages must at least contain nfgenmsg */