[Devel] [PATCH RHEL7 COMMIT] ve/net/ioctl: allow change net-device name with CAP_VE_NET_ADMIN
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Jun 18 06:41:53 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.14
------>
commit 4b2230a50d7c2b79128218e4adf9b6f55ca59a9c
Author: Kirill Tkhai <ktkhai at odin.com>
Date: Thu Jun 18 17:41:53 2015 +0400
ve/net/ioctl: allow change net-device name with CAP_VE_NET_ADMIN
Por patch diff-ve-net-ioctl-allow-change-net-device-name-with-CAP_VE_NET_ADMIN
from 2.6.32:
docker uses ioctl's:
SIOCBRADDBR
SIOCBRDELBR
SIOCBRADDIF
SIOCSIFFLAGS
SIOCSIFHWADDR
SIOCSIFNAME - missed it before (in the scope of PSBM-29808)
need to allow them for container-net-admin
https://jira.sw.ru/browse/PSBM-31819
https://jira.sw.ru/browse/PSBM-29808
Signed-off-by: Pavel Tikhomirov <ptikhomirov at parallels.com>
Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
Acked-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
net/core/dev_ioctl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index d407219..77df687 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -476,9 +476,12 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
*/
case SIOCGMIIPHY:
case SIOCGMIIREG:
- case SIOCSIFNAME:
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
+ case SIOCSIFNAME:
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
+ !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ return -EPERM;
dev_load(net, ifr.ifr_name);
rtnl_lock();
ret = dev_ifsioc(net, &ifr, cmd);
More information about the Devel
mailing list