* [PATCH net-next ] net: Allow userns root to control tun and tap devices
@ 2012-11-19 7:34 Eric W. Biederman
[not found] ` <87a9uekpvw.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
0 siblings, 1 reply; 3+ messages in thread
From: Eric W. Biederman @ 2012-11-19 7:34 UTC (permalink / raw)
To: David Miller; +Cc: netdev-u79uwXL29TY76Z2rM5mHXA, Linux Containers
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) calls to
ns_capable(net->user_ns,CAP_NET_ADMIN) calls.
Allow setting of the tun iff flags.
Allow creating of tun devices.
Allow adding a new queue to a tun device.
Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
---
drivers/net/tun.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index b44d7b7..b01e8c0 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -373,10 +373,11 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb)
static inline bool tun_not_capable(struct tun_struct *tun)
{
const struct cred *cred = current_cred();
+ struct net *net = dev_net(tun->dev);
return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) ||
(gid_valid(tun->group) && !in_egroup_p(tun->group))) &&
- !capable(CAP_NET_ADMIN);
+ !ns_capable(net->user_ns, CAP_NET_ADMIN);
}
static void tun_set_real_num_queues(struct tun_struct *tun)
@@ -1559,7 +1560,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
char *name;
unsigned long flags = 0;
- if (!capable(CAP_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
err = security_tun_dev_create();
if (err < 0)
--
1.7.5.4
^ permalink raw reply related [flat|nested] 3+ messages in thread[parent not found: <87a9uekpvw.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>]
* Re: [PATCH net-next ] net: Allow userns root to control tun and tap devices [not found] ` <87a9uekpvw.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> @ 2012-11-19 14:23 ` Serge E. Hallyn [not found] ` <20121119142331.GA4453-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 0 siblings, 1 reply; 3+ messages in thread From: Serge E. Hallyn @ 2012-11-19 14:23 UTC (permalink / raw) To: Eric W. Biederman Cc: netdev-u79uwXL29TY76Z2rM5mHXA, Linux Containers, David Miller Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org): > > Allow an unpriviled user who has created a user namespace, and then > created a network namespace to effectively use the new network > namespace, by reducing capable(CAP_NET_ADMIN) calls to > ns_capable(net->user_ns,CAP_NET_ADMIN) calls. > > Allow setting of the tun iff flags. > Allow creating of tun devices. > Allow adding a new queue to a tun device. > Acked-by: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> > Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> > --- > drivers/net/tun.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index b44d7b7..b01e8c0 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -373,10 +373,11 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb) > static inline bool tun_not_capable(struct tun_struct *tun) > { > const struct cred *cred = current_cred(); > + struct net *net = dev_net(tun->dev); > > return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) || > (gid_valid(tun->group) && !in_egroup_p(tun->group))) && > - !capable(CAP_NET_ADMIN); > + !ns_capable(net->user_ns, CAP_NET_ADMIN); > } > > static void tun_set_real_num_queues(struct tun_struct *tun) > @@ -1559,7 +1560,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) > char *name; > unsigned long flags = 0; > > - if (!capable(CAP_NET_ADMIN)) > + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) > return -EPERM; > err = security_tun_dev_create(); > if (err < 0) > -- > 1.7.5.4 ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <20121119142331.GA4453-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>]
* Re: [PATCH net-next ] net: Allow userns root to control tun and tap devices [not found] ` <20121119142331.GA4453-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> @ 2012-11-19 19:16 ` David Miller 0 siblings, 0 replies; 3+ messages in thread From: David Miller @ 2012-11-19 19:16 UTC (permalink / raw) To: serge-A9i7LUbDfNHQT0dZR+AlfA Cc: netdev-u79uwXL29TY76Z2rM5mHXA, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, ebiederm-aS9lmoZGLiVWk0Htik3J/w From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> Date: Mon, 19 Nov 2012 14:23:31 +0000 > Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org): >> >> Allow an unpriviled user who has created a user namespace, and then >> created a network namespace to effectively use the new network >> namespace, by reducing capable(CAP_NET_ADMIN) calls to >> ns_capable(net->user_ns,CAP_NET_ADMIN) calls. >> >> Allow setting of the tun iff flags. >> Allow creating of tun devices. >> Allow adding a new queue to a tun device. >> > > Acked-by: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> Applied. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-11-19 19:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-19 7:34 [PATCH net-next ] net: Allow userns root to control tun and tap devices Eric W. Biederman
[not found] ` <87a9uekpvw.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 14:23 ` Serge E. Hallyn
[not found] ` <20121119142331.GA4453-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-11-19 19:16 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).