[Devel] [PATCH RH7] ve: restrict ethtool to VE root userns and prohibit EEPROM change
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Wed Mar 1 23:11:11 PST 2017
When we switched to using userns we lost these restriction. According
to https://jira.sw.ru/browse/PSBM-36290 if we modify EEPROM, we can
modify nic's firmware.
https://jira.sw.ru/browse/PSBM-52504
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
net/core/ethtool.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 6302e8e..d1b6354 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -2398,10 +2398,10 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
case ETHTOOL_GTUNABLE:
break;
case ETHTOOL_SEEPROM:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+ if (!capable(CAP_NET_ADMIN))
return -EPERM;
default:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+ if (!ve_capable(CAP_NET_ADMIN))
return -EPERM;
}
--
2.9.3
More information about the Devel
mailing list