[Devel] [PATCH 2/2] ioctl: allow change net-device name with CAP_VE_NET_ADMIN
Kirill Tkhai
ktkhai at odin.com
Thu Jun 18 03:28:51 PDT 2015
Por patch diff-ve-net-ioctl-allow-change-net-device-name-with-CAP_VE_NET_ADMIN
from 2.6.32:
docker uses ioctl's:
SIOCBRADDBR
SIOCBRDELBR
SIOCBRADDIF
SIOCSIFFLAGS
SIOCSIFHWADDR
SIOCSIFNAME - missed it before (in the scope of PSBM-29808)
need to allow them for container-net-admin
https://jira.sw.ru/browse/PSBM-31819
https://jira.sw.ru/browse/PSBM-29808
Signed-off-by: Pavel Tikhomirov <ptikhomirov at parallels.com>
Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
---
net/core/dev_ioctl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index 2be924c..021681b 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -476,9 +476,12 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
*/
case SIOCGMIIPHY:
case SIOCGMIIREG:
- case SIOCSIFNAME:
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
+ case SIOCSIFNAME:
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
+ !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ return -EPERM;
dev_load(net, ifr.ifr_name);
rtnl_lock();
ret = dev_ifsioc(net, &ifr, cmd);
More information about the Devel
mailing list