From: Jakub Kicinski <kuba@kernel.org>
To: "Michael Weiß" <michael.weiss@aisec.fraunhofer.de>
Cc: Paolo Abeni <pabeni@redhat.com>,
Pravin B Shelar <pshelar@ovn.org>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
netdev@vger.kernel.org, dev@openvswitch.org,
linux-kernel@vger.kernel.org, Joe Stringer <joe@cilium.io>
Subject: Re: [PATCH v2 net 2/2] net: openvswitch: allow conntrack in non-initial user namespace
Date: Thu, 22 Sep 2022 07:03:36 -0700 [thread overview]
Message-ID: <20220922070336.623d4150@kernel.org> (raw)
In-Reply-To: <20220921011946.250228-3-michael.weiss@aisec.fraunhofer.de>
On Wed, 21 Sep 2022 03:19:46 +0200 Michael Weiß wrote:
> Similar to the previous commit, the Netlink interface of the OVS
> conntrack module was restricted to global CAP_NET_ADMIN by using
> GENL_ADMIN_PERM. This is changed to GENL_UNS_ADMIN_PERM to support
> unprivileged containers in non-initial user namespace.
Should we bump
ct_limit = kmalloc(sizeof(*ct_limit), GFP_KERNEL);
to also being accounted?
Otherwise LGTM, please repost with [PATCH net-next v3] in the subject.
net is for fixes only, and we're quite late in the -rc process.
Please try to CC the original authors as well, for Joe the address
will be Joe Stringer <joe@cilium.io>.
> diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
> index 4e70df91d0f2..9142ba322991 100644
> --- a/net/openvswitch/conntrack.c
> +++ b/net/openvswitch/conntrack.c
> @@ -2252,14 +2252,16 @@ static int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info)
> static const struct genl_small_ops ct_limit_genl_ops[] = {
> { .cmd = OVS_CT_LIMIT_CMD_SET,
> .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
> - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
> - * privilege. */
> + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN
> + * privilege.
> + */
> .doit = ovs_ct_limit_cmd_set,
> },
> { .cmd = OVS_CT_LIMIT_CMD_DEL,
> .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
> - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
> - * privilege. */
> + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN
> + * privilege.
> + */
> .doit = ovs_ct_limit_cmd_del,
> },
> { .cmd = OVS_CT_LIMIT_CMD_GET,
prev parent reply other threads:[~2022-09-22 14:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-21 1:19 [PATCH v2 net 0/2] net: openvswitch: metering and conntrack in userns Michael Weiß
2022-09-21 1:19 ` [PATCH v2 net 1/2] net: openvswitch: allow metering in non-initial user namespace Michael Weiß
2022-09-21 1:19 ` [PATCH v2 net 2/2] net: openvswitch: allow conntrack " Michael Weiß
2022-09-22 14:03 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220922070336.623d4150@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=dev@openvswitch.org \
--cc=edumazet@google.com \
--cc=joe@cilium.io \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.weiss@aisec.fraunhofer.de \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pshelar@ovn.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.