* [PATCH net-next ] net: Allow userns root to control tun and tap devices
@ 2012-11-19 7:34 Eric W. Biederman
[not found] ` <87a9uekpvw.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Eric W. Biederman @ 2012-11-19 7:34 UTC (permalink / raw)
To: David Miller; +Cc: netdev-u79uwXL29TY76Z2rM5mHXA, Linux Containers
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) calls to
ns_capable(net->user_ns,CAP_NET_ADMIN) calls.
Allow setting of the tun iff flags.
Allow creating of tun devices.
Allow adding a new queue to a tun device.
Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
---
drivers/net/tun.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index b44d7b7..b01e8c0 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -373,10 +373,11 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb)
static inline bool tun_not_capable(struct tun_struct *tun)
{
const struct cred *cred = current_cred();
+ struct net *net = dev_net(tun->dev);
return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) ||
(gid_valid(tun->group) && !in_egroup_p(tun->group))) &&
- !capable(CAP_NET_ADMIN);
+ !ns_capable(net->user_ns, CAP_NET_ADMIN);
}
static void tun_set_real_num_queues(struct tun_struct *tun)
@@ -1559,7 +1560,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
char *name;
unsigned long flags = 0;
- if (!capable(CAP_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
err = security_tun_dev_create();
if (err < 0)
--
1.7.5.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net-next ] net: Allow userns root to control tun and tap devices
[not found] ` <87a9uekpvw.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
@ 2012-11-19 14:23 ` Serge E. Hallyn
[not found] ` <20121119142331.GA4453-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Serge E. Hallyn @ 2012-11-19 14:23 UTC (permalink / raw)
To: Eric W. Biederman
Cc: netdev-u79uwXL29TY76Z2rM5mHXA, Linux Containers, David Miller
Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
>
> Allow an unpriviled user who has created a user namespace, and then
> created a network namespace to effectively use the new network
> namespace, by reducing capable(CAP_NET_ADMIN) calls to
> ns_capable(net->user_ns,CAP_NET_ADMIN) calls.
>
> Allow setting of the tun iff flags.
> Allow creating of tun devices.
> Allow adding a new queue to a tun device.
>
Acked-by: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
> Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
> ---
> drivers/net/tun.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index b44d7b7..b01e8c0 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -373,10 +373,11 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb)
> static inline bool tun_not_capable(struct tun_struct *tun)
> {
> const struct cred *cred = current_cred();
> + struct net *net = dev_net(tun->dev);
>
> return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) ||
> (gid_valid(tun->group) && !in_egroup_p(tun->group))) &&
> - !capable(CAP_NET_ADMIN);
> + !ns_capable(net->user_ns, CAP_NET_ADMIN);
> }
>
> static void tun_set_real_num_queues(struct tun_struct *tun)
> @@ -1559,7 +1560,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
> char *name;
> unsigned long flags = 0;
>
> - if (!capable(CAP_NET_ADMIN))
> + if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
> return -EPERM;
> err = security_tun_dev_create();
> if (err < 0)
> --
> 1.7.5.4
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net-next ] net: Allow userns root to control tun and tap devices
[not found] ` <20121119142331.GA4453-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
@ 2012-11-19 19:16 ` David Miller
0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2012-11-19 19:16 UTC (permalink / raw)
To: serge-A9i7LUbDfNHQT0dZR+AlfA
Cc: netdev-u79uwXL29TY76Z2rM5mHXA,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA,
ebiederm-aS9lmoZGLiVWk0Htik3J/w
From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
Date: Mon, 19 Nov 2012 14:23:31 +0000
> Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
>>
>> Allow an unpriviled user who has created a user namespace, and then
>> created a network namespace to effectively use the new network
>> namespace, by reducing capable(CAP_NET_ADMIN) calls to
>> ns_capable(net->user_ns,CAP_NET_ADMIN) calls.
>>
>> Allow setting of the tun iff flags.
>> Allow creating of tun devices.
>> Allow adding a new queue to a tun device.
>>
>
> Acked-by: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
Applied.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-11-19 19:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-19 7:34 [PATCH net-next ] net: Allow userns root to control tun and tap devices Eric W. Biederman
[not found] ` <87a9uekpvw.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 14:23 ` Serge E. Hallyn
[not found] ` <20121119142331.GA4453-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-11-19 19:16 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).