[Devel] [PATCH RHEL7 COMMIT] net: remove CAP_VE_NET_ADMIN from "ve/netfilter: Basic ve transformations"
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Sep 8 01:51:08 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.8.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.6.8
------>
commit 145cbc5edaf49f7952a7a852c82af69c83cce919
Author: Andrew Vagin <avagin at openvz.org>
Date: Tue Sep 8 12:51:08 2015 +0400
net: remove CAP_VE_NET_ADMIN from "ve/netfilter: Basic ve transformations"
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>
---
net/ipv4/netfilter/ip_tables.c | 12 ++++--------
net/ipv6/netfilter/ip6_tables.c | 12 ++++--------
2 files changed, 8 insertions(+), 16 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 31eda61..bbcb355 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1861,8 +1861,7 @@ compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -1977,8 +1976,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -2001,8 +1999,7 @@ do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -2028,8 +2025,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 0f370a4..8eaf33d 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1867,8 +1867,7 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -1984,8 +1983,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -2008,8 +2006,7 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
@@ -2035,8 +2032,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct user_namespace *user_ns = sock_net(sk)->user_ns;
int ret;
- if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(user_ns, CAP_NET_ADMIN))
return -EPERM;
switch (cmd) {
More information about the Devel
mailing list