From: "Serge E. Hallyn" <serge@hallyn.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org, dhowells@redhat.com,
ebiederm@xmission.com,
"Serge E. Hallyn" <serge.hallyn@canonical.com>
Subject: Re: [RFC PATCH 08/14] af_netlink.c: make netlink_capable userns-aware
Date: Wed, 13 Jul 2011 02:02:23 +0000 [thread overview]
Message-ID: <20110713020223.GA14187@hallyn.com> (raw)
In-Reply-To: <1310520819.2634.6.camel@edumazet-laptop>
Quoting Eric Dumazet (eric.dumazet@gmail.com):
> Le mardi 12 juillet 2011 à 23:30 +0000, Serge Hallyn a écrit :
> > From: Serge E. Hallyn <serge.hallyn@canonical.com>
> >
> > netlink_capable should check for permissions against the user
> > namespace owning the socket in question.
> >
> > Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
> > Cc: Eric W. Biederman <ebiederm@xmission.com>
> > ---
> > net/netlink/af_netlink.c | 11 +++++++++--
> > 1 files changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> > index 6ef64ad..81c1099 100644
> > --- a/net/netlink/af_netlink.c
> > +++ b/net/netlink/af_netlink.c
> > @@ -580,8 +580,15 @@ retry:
> >
> > static inline int netlink_capable(struct socket *sock, unsigned int flag)
> > {
> > - return (nl_table[sock->sk->sk_protocol].nl_nonroot & flag) ||
> > - capable(CAP_NET_ADMIN);
> > + struct net *net;
> > + if (nl_table[sock->sk->sk_protocol].nl_nonroot & flag)
> > + return 1;
> > +#ifdef CONFIG_NET_NS
> > + net = sock->sk->sk_net;
> > +#else
> > + net = &init_net;
> > +#endif
>
> This is really ugly, please use :
>
> net = sock_net(sk);
>
> And no more #ifdef
thanks, will do!
next prev parent reply other threads:[~2011-07-13 2:02 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-12 23:30 [RFC PATCH 0/14] user namespaces: continue targetting capabilities Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 07/14] user namespace: use net->user_ns for some capable calls under net/ Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 08/14] af_netlink.c: make netlink_capable userns-aware Serge Hallyn
2011-07-13 1:33 ` Eric Dumazet
2011-07-13 2:02 ` Serge E. Hallyn
2011-07-13 2:02 ` Serge E. Hallyn [this message]
[not found] ` <1310513452-13397-9-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-13 1:33 ` Eric Dumazet
[not found] ` <1310513452-13397-1-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-12 23:30 ` [RFC PATCH 01/14] add Documentation/namespaces/user_namespace.txt Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-13 12:45 ` David Howells
[not found] ` <31047.1310561116-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-07-14 2:37 ` Serge E. Hallyn
2011-07-14 2:37 ` Serge E. Hallyn
2011-07-12 23:30 ` [RFC PATCH 02/14] allow root in container to copy namespaces Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 03/14] keyctl: check capabilities against key's user_ns Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-13 16:04 ` David Howells
2011-07-12 23:30 ` [RFC PATCH 04/14] user_ns: convert fs/attr.c to targeted capabilities Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 05/14] userns: clamp down users of cap_raised Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 06/14] user namespace: make each net (net_ns) belong to a user_ns Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 07/14] user namespace: use net->user_ns for some capable calls under net/ Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 08/14] af_netlink.c: make netlink_capable userns-aware Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 09/14] user ns: convert ipv6 to targeted capabilities Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 10/14] net/core/scm.c: target capable() calls to user_ns owning the net_ns Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 11/14] userns: make some net-sysfs capable calls targeted Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 12/14] user_ns: target af_key capability check Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 13/14] userns: net: make many network capable calls targeted Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 14/14] net: pass user_ns to cap_netlink_recv() Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 09/14] user ns: convert ipv6 to targeted capabilities Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 10/14] net/core/scm.c: target capable() calls to user_ns owning the net_ns Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 11/14] userns: make some net-sysfs capable calls targeted Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 12/14] user_ns: target af_key capability check Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 13/14] userns: net: make many network capable calls targeted Serge Hallyn
[not found] ` <1310513452-13397-2-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-13 12:45 ` [RFC PATCH 01/14] add Documentation/namespaces/user_namespace.txt David Howells
[not found] ` <1310513452-13397-4-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-13 16:04 ` [RFC PATCH 03/14] keyctl: check capabilities against key's user_ns David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110713020223.GA14187@hallyn.com \
--to=serge@hallyn.com \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serge.hallyn@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.