[Devel] [PATCH 3/3] ve: remove ns_capable(CAP_VE.*)
Andrew Vagin
avagin at openvz.org
Fri Aug 28 06:20:03 PDT 2015
If we use user namespaces, we don't need to have special capabilities.
Signed-off-by: Andrew Vagin <avagin at openvz.org>
---
fs/proc/root.c | 3 +--
ipc/mqueue.c | 3 +--
ipc/util.c | 2 +-
kernel/nsproxy.c | 6 ++----
kernel/sys.c | 4 ++--
net/bridge/br_ioctl.c | 33 +++++++++++----------------------
net/core/dev_ioctl.c | 9 +++------
net/core/ethtool.c | 3 +--
net/core/rtnetlink.c | 6 ++----
net/core/scm.c | 2 +-
net/decnet/netfilter/dn_rtmsg.c | 3 +--
net/ipv4/arp.c | 3 +--
net/ipv4/devinet.c | 6 ++----
net/ipv4/fib_frontend.c | 2 +-
net/ipv4/ip_sockglue.c | 3 +--
net/ipv4/ip_tunnel.c | 6 ++----
net/ipv4/netfilter/ip_tables.c | 12 ++++--------
net/ipv6/addrconf.c | 4 ++--
net/ipv6/ip6_tunnel.c | 6 ++----
net/ipv6/netfilter/ip6_tables.c | 12 ++++--------
net/ipv6/route.c | 2 +-
net/ipv6/sit.c | 9 +++------
net/key/af_key.c | 3 +--
net/netfilter/nfnetlink.c | 3 +--
net/netlink/af_netlink.c | 1 -
net/netlink/genetlink.c | 3 +--
net/xfrm/xfrm_user.c | 3 +--
27 files changed, 53 insertions(+), 99 deletions(-)
diff --git a/fs/proc/root.c b/fs/proc/root.c
index 0b7dbdb..923b398 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -121,8 +121,7 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
options = data;
if (!current_user_ns()->may_mount_proc ||
- (!ns_capable(ns->user_ns, CAP_SYS_ADMIN) &&
- !ns_capable(ns->user_ns, CAP_VE_SYS_ADMIN)))
+ (!ns_capable(ns->user_ns, CAP_SYS_ADMIN)))
return ERR_PTR(-EPERM);
}
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index c5f1d3e..657814c 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -335,8 +335,7 @@ static struct dentry *mqueue_mount(struct file_system_type *fs_type,
/* Don't allow mounting unless the caller has CAP_SYS_ADMIN
* over the ipc namespace.
*/
- if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN) &&
- !ns_capable(ns->user_ns, CAP_VE_SYS_ADMIN))
+ if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
return ERR_PTR(-EPERM);
data = ns;
diff --git a/ipc/util.c b/ipc/util.c
index 795e05f..15e09aa 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -771,7 +771,7 @@ struct kern_ipc_perm *ipcctl_pre_down_nolock(struct ipc_namespace *ns,
euid = current_euid();
if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid) ||
- ns_capable(ns->user_ns, CAP_VE_SYS_ADMIN))
+ ns_capable(ns->user_ns, CAP_SYS_ADMIN))
return ipcp; /* successful lookup */
err:
return ERR_PTR(err);
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 81402a8..62aebc8 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -136,8 +136,7 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk)
CLONE_NEWPID | CLONE_NEWNET)))
return 0;
- if (!ns_capable(user_ns, CAP_SYS_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_SYS_ADMIN)) {
+ if (!ns_capable(user_ns, CAP_SYS_ADMIN)) {
err = -EPERM;
goto out;
}
@@ -198,8 +197,7 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
return 0;
user_ns = new_cred ? new_cred->user_ns : current_user_ns();
- if (!ns_capable(user_ns, CAP_SYS_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_SYS_ADMIN))
+ if (!ns_capable(user_ns, CAP_SYS_ADMIN))
return -EPERM;
*new_nsp = create_new_namespaces(unshare_flags, current, user_ns,
diff --git a/kernel/sys.c b/kernel/sys.c
index 44f0295..a2d5644 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1604,7 +1604,7 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
int errno;
char tmp[__NEW_UTS_LEN];
- if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_VE_SYS_ADMIN))
+ if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
return -EPERM;
if (len < 0 || len > __NEW_UTS_LEN)
@@ -1655,7 +1655,7 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len)
int errno;
char tmp[__NEW_UTS_LEN];
- if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_VE_SYS_ADMIN))
+ if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
return -EPERM;
if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 45c4c22..98447b8 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -89,8 +89,7 @@ static int add_del_if(struct net_bridge *br, int ifindex, int isadd)
struct net_device *dev;
int ret;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
dev = __dev_get_by_index(net, ifindex);
@@ -180,29 +179,25 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
}
case BRCTL_SET_BRIDGE_FORWARD_DELAY:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
return br_set_forward_delay(br, args[1]);
case BRCTL_SET_BRIDGE_HELLO_TIME:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
return br_set_hello_time(br, args[1]);
case BRCTL_SET_BRIDGE_MAX_AGE:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
return br_set_max_age(br, args[1]);
case BRCTL_SET_AGEING_TIME:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
br->ageing_time = clock_t_to_jiffies(args[1]);
@@ -242,16 +237,14 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
}
case BRCTL_SET_BRIDGE_STP_STATE:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
br_stp_set_enabled(br, args[1]);
return 0;
case BRCTL_SET_BRIDGE_PRIORITY:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
spin_lock_bh(&br->lock);
@@ -264,8 +257,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
struct net_bridge_port *p;
int ret;
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
spin_lock_bh(&br->lock);
@@ -282,8 +274,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
struct net_bridge_port *p;
int ret;
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
spin_lock_bh(&br->lock);
@@ -340,8 +331,7 @@ static int old_deviceless(struct net *net, void __user *uarg)
{
char buf[IFNAMSIZ];
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(buf, (void __user *)args[1], IFNAMSIZ))
@@ -374,8 +364,7 @@ int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *uar
{
char buf[IFNAMSIZ];
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(buf, uarg, IFNAMSIZ))
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index 021681b..d0befb4 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -294,8 +294,7 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, unsigned int cmd)
return dev_mc_del_global(dev, ifr->ifr_hwaddr.sa_data);
case SIOCSIFTXQLEN:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (ifr->ifr_qlen < 0)
return -EINVAL;
@@ -479,8 +478,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
case SIOCSIFNAME:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
dev_load(net, ifr.ifr_name);
rtnl_lock();
@@ -509,8 +507,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
case SIOCSIFMETRIC:
case SIOCBRADDIF:
case SIOCBRDELIF:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
dev_load(net, ifr.ifr_name);
rtnl_lock();
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index b06f749..07fedd0 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -1649,8 +1649,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
default:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
}
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 2e8b10f..105aaf5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1403,8 +1403,7 @@ static int do_setlink(const struct sk_buff *skb,
err = PTR_ERR(net);
goto errout;
}
- if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN) &&
- !netlink_ns_capable(skb, net->user_ns, CAP_VE_NET_ADMIN)) {
+ if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) {
err = -EPERM;
goto errout;
}
@@ -2733,8 +2732,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
sz_idx = type>>2;
kind = type&3;
- if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN) &&
- !netlink_net_capable(skb, CAP_VE_NET_ADMIN))
+ if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) {
diff --git a/net/core/scm.c b/net/core/scm.c
index acde9e9..b86b05a 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -54,7 +54,7 @@ static __inline__ int scm_check_creds(struct ucred *creds)
if ((creds->pid == task_tgid_vnr(current) ||
creds->pid == current->tgid ||
- ns_capable(task_active_pid_ns(current)->user_ns, CAP_VE_SYS_ADMIN)) &&
+ ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) ||
uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) &&
((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) ||
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index b4d2f6c..e4d9560 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -107,8 +107,7 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
return;
- if (!netlink_capable(skb, CAP_NET_ADMIN) &&
- !netlink_capable(skb, CAP_VE_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
RCV_SKB_FAIL(-EPERM);
/* Eventually we might send routing messages too */
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 0867b6c..d2b96c3 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1176,8 +1176,7 @@ int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg)
switch (cmd) {
case SIOCDARP:
case SIOCSARP:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
case SIOCGARP:
err = copy_from_user(&r, arg, sizeof(struct arpreq));
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 2fef948..1666af3 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -915,8 +915,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
case SIOCSIFFLAGS:
ret = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto out;
break;
case SIOCSIFADDR: /* Set interface address (and family) */
@@ -924,8 +923,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
case SIOCSIFDSTADDR: /* Set the destination address */
case SIOCSIFNETMASK: /* Set the netmask for the interface */
ret = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto out;
ret = -EINVAL;
if (sin->sin_family != AF_INET)
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 3ca9753..e5aa8d9 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -487,7 +487,7 @@ int ip_rt_ioctl(struct net *net, unsigned int cmd, void __user *arg)
switch (cmd) {
case SIOCADDRT: /* Add a route */
case SIOCDELRT: /* Delete a route */
- if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(&rt, arg, sizeof(rt)))
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 8937a62..8d174ce 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1008,8 +1008,7 @@ mc_msf_out:
case IP_IPSEC_POLICY:
case IP_XFRM_POLICY:
err = -EPERM;
- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(sock_net(sk)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
break;
err = xfrm_user_policy(sk, optname, optval, optlen);
break;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 26b9774..b1eeb95 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -726,8 +726,7 @@ int ip_tunnel_ioctl(struct net_device *dev, struct ip_tunnel_parm *p, int cmd)
case SIOCADDTUNNEL:
case SIOCCHGTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
if (p->iph.ttl)
p->iph.frag_off |= htons(IP_DF);
@@ -781,8 +780,7 @@ int ip_tunnel_ioctl(struct net_device *dev, struct ip_tunnel_parm *p, int cmd)
case SIOCDELTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
if (dev == itn->fb_tunnel_dev) {
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 31eda61..bbcb355 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1861,8 +1861,7 @@ compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -1977,8 +1976,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -2001,8 +1999,7 @@ do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -2028,8 +2025,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index cf03581..4745307 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2499,7 +2499,7 @@ int addrconf_add_ifaddr(struct net *net, void __user *arg)
struct in6_ifreq ireq;
int err;
- if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(&ireq, arg, sizeof(struct in6_ifreq)))
@@ -2518,7 +2518,7 @@ int addrconf_del_ifaddr(struct net *net, void __user *arg)
struct in6_ifreq ireq;
int err;
- if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(&ireq, arg, sizeof(struct in6_ifreq)))
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index e28a22f..24825e9 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1368,8 +1368,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
case SIOCADDTUNNEL:
case SIOCCHGTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
break;
err = -EFAULT;
if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof (p)))
@@ -1402,8 +1401,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
break;
case SIOCDELTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
break;
if (dev == ip6n->fb_tnl_dev) {
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 0f370a4..8eaf33d 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1867,8 +1867,7 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -1984,8 +1983,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -2008,8 +2006,7 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -2035,8 +2032,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index e7698f3..c0f7be8 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2086,7 +2086,7 @@ int ipv6_route_ioctl(struct net *net, unsigned int cmd, void __user *arg)
switch(cmd) {
case SIOCADDRT: /* Add a route */
case SIOCDELRT: /* Delete a route */
- if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
err = copy_from_user(&rtmsg, arg,
sizeof(struct in6_rtmsg));
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 0cbb2b2..ffd26c9 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1093,8 +1093,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
case SIOCADDTUNNEL:
case SIOCCHGTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
err = -EFAULT;
@@ -1142,8 +1141,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
case SIOCDELTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
if (dev == sitn->fb_tunnel_dev) {
@@ -1176,8 +1174,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
case SIOCDELPRL:
case SIOCCHGPRL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
err = -EINVAL;
if (dev == sitn->fb_tunnel_dev)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index d954db1..66f51c5 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -141,8 +141,7 @@ static int pfkey_create(struct net *net, struct socket *sock, int protocol,
struct sock *sk;
int err;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (sock->type != SOCK_RAW)
return -ESOCKTNOSUPPORT;
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index e9dca11..d2de992 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -375,8 +375,7 @@ static void nfnetlink_rcv(struct sk_buff *skb)
skb->len < nlh->nlmsg_len)
return;
- if (!netlink_net_capable(skb, CAP_NET_ADMIN) &&
- !netlink_net_capable(skb, CAP_VE_NET_ADMIN)) {
+ if (!netlink_net_capable(skb, CAP_NET_ADMIN)) {
netlink_ack(skb, nlh, -EPERM);
return;
}
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index c258809..ec12d29 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1373,7 +1373,6 @@ EXPORT_SYMBOL(netlink_net_capable);
static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
{
return (nl_table[sock->sk->sk_protocol].flags & flag) ||
- ns_capable(sock_net(sock->sk)->user_ns, CAP_VE_NET_ADMIN) ||
ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
}
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 3c4679c..76393f2 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -557,8 +557,7 @@ static int genl_family_rcv_msg(struct genl_family *family,
return -EOPNOTSUPP;
if ((ops->flags & GENL_ADMIN_PERM) &&
- !netlink_capable(skb, CAP_NET_ADMIN) &&
- !netlink_capable(skb, CAP_VE_NET_ADMIN))
+ !netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if ((nlh->nlmsg_flags & NLM_F_DUMP) == NLM_F_DUMP) {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 55d2013..7a70a5a 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2362,8 +2362,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
link = &xfrm_dispatch[type];
/* All operations require privileges, even GET */
- if (!netlink_net_capable(skb, CAP_NET_ADMIN) &&
- !netlink_net_capable(skb, CAP_VE_NET_ADMIN))
+ if (!netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
--
1.7.1
More information about the Devel
mailing list