diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-15 04:26:23 -0800 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-18 23:15:50 -0800 |
commit | d5360895c29375a96e1eefe3568208583abd4578 (patch) | |
tree | e1e010ccd804f17de0779c9b099199625270e429 | |
parent | 66bb0ad06a8e438f60b3802ddb45ccf35534c2bc (diff) | |
download | user-namespace-userns-always-map-user-v74.tar.gz |
net: Allow userns root to control tun and tap devicesuserns-always-map-user-v74
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) calls to
ns_capable(net->user_ns,CAP_NET_ADMIN) calls.
Allow setting of the tun iff flags.
Allow creating of tun devices.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
-rw-r--r-- | drivers/net/tun.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 0873cdcf39bebb..e8d2c6e32ba255 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1198,7 +1198,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) if (((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) || (gid_valid(tun->group) && !in_egroup_p(tun->group))) && - !capable(CAP_NET_ADMIN)) + !ns_capable(net->user_ns, CAP_NET_ADMIN)) return -EPERM; err = security_tun_dev_attach(tun->socket.sk); if (err < 0) @@ -1212,7 +1212,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) char *name; unsigned long flags = 0; - if (!capable(CAP_NET_ADMIN)) + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) return -EPERM; err = security_tun_dev_create(); if (err < 0) |