[Devel] [PATCH 06/14] net: CAP_VE_NET_ADMIN must be a subset of CAP_NET_ADMIN
Kirill Tkhai
ktkhai at odin.com
Mon Jun 8 07:21:15 PDT 2015
Porting patch diff-ve-net-netlink-CAP_VE_NET_ADMIN-must-be-a-subset-of-CAP_NET_ADMIN-2:
An application can restrict itself. In this case very probably
it knows nothing about CAP_VE_*. CAP_NET_ADMIN is enough safty
and it may be granted to CT, if it's required for an required
application.
https://jira.sw.ru/browse/PSBM-23514
Signed-off-by: Andrey Vagin <avagin at openvz.org>
Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
net/netlink/af_netlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index a54e578..272c24a 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1366,7 +1366,9 @@ static int netlink_autobind(struct socket *sock)
static inline int netlink_capable(const struct socket *sock, unsigned int flag)
{
return (nl_table[sock->sk->sk_protocol].flags & flag) ||
- ns_capable(sock_net(sock->sk)->user_ns, CAP_VE_NET_ADMIN);
+ ns_capable(sock_net(sock->sk)->user_ns, CAP_VE_NET_ADMIN) ||
+ ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
+
}
static void
More information about the Devel
mailing list