[Devel] [PATCH 05/14] ve/netfilter/cred: add ve_capable to check capabilities relative to the current VE (v2)
Alexander Mikhalitsyn
alexander.mikhalitsyn at virtuozzo.com
Fri Apr 30 15:45:33 MSK 2021
From: Konstantin Khorenko <khorenko at virtuozzo.com>
We want to allow a few operations in VE. Currently we use nsown_capable,
but it's wrong, because in this case we allow these operations in any
user namespace.
v2: take ve0->cred if the currect ve isn't running
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>
(cherry picked from commit d14ac53542dcea9e8db67b3f989a57e42b0de093)
VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
net/netfilter/nf_sockopt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index 024959f478da..83358cfefdb7 100644
--- a/net/netfilter/nf_sockopt.c
+++ b/net/netfilter/nf_sockopt.c
@@ -112,7 +112,7 @@ static int ve0_load_sockopt_module(struct net *net, u8 pf, int val, int get)
const char *name;
int ret = -EPERM;
- if (!capable(CAP_NET_ADMIN))
+ if (!ve_capable(CAP_NET_ADMIN))
goto out;
if (sockopt_module_fits(pf, val, get, PF_INET,
--
2.28.0
More information about the Devel
mailing list