[Devel] [PATCH] netfilter: allow adding matches from the container initial user namespace

Mon Jun 5 21:05:41 MSK 2017

https://jira.sw.ru/browse/PSBM-43609

Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
---
 net/netfilter/xt_owner.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 79558fe..942cce1 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -83,7 +83,7 @@ static int owner_check(const struct xt_mtchk_param *par)
 
 	/* For now only allow adding matches from the initial user namespace */
 	if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
-	    (current_user_ns() != &init_user_ns))
+	    !current_user_ns_initial())
 		return -EINVAL;
 	return 0;
 }

