[Devel] [PATCH RHEL7 COMMIT] ve/net: CAP_VE_NET_ADMIN must be a subset of CAP_NET_ADMIN
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Jun 10 07:42:41 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.12
------>
commit ab8432f1e8a5e4361a045228616a99605bf851b7
Author: Kirill Tkhai <ktkhai at odin.com>
Date: Wed Jun 10 18:42:41 2015 +0400
ve/net: CAP_VE_NET_ADMIN must be a subset of CAP_NET_ADMIN
Porting patch diff-ve-net-netlink-CAP_VE_NET_ADMIN-must-be-a-subset-of-CAP_NET_ADMIN-2:
An application can restrict itself. In this case very probably
it knows nothing about CAP_VE_*. CAP_NET_ADMIN is enough safty
and it may be granted to CT, if it's required for an required
application.
https://jira.sw.ru/browse/PSBM-23514
Signed-off-by: Andrey Vagin <avagin at openvz.org>
Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
net/netlink/af_netlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 734a68a..5d5ce02 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1357,7 +1357,9 @@ retry:
static inline int netlink_capable(const struct socket *sock, unsigned int flag)
{
return (nl_table[sock->sk->sk_protocol].flags & flag) ||
- ns_capable(sock_net(sock->sk)->user_ns, CAP_VE_NET_ADMIN);
+ ns_capable(sock_net(sock->sk)->user_ns, CAP_VE_NET_ADMIN) ||
+ ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
+
}
static void
More information about the Devel
mailing list