openvswitch: allow management from inside user namespaces - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Tycho Andersen <tycho.andersen@canonical.com>	2016-02-05 19:20:52 +0300
committer	David S. Miller <davem@davemloft.net>	2016-02-11 17:53:19 +0300
commit	4a92602aa1cd5bbaeedbd9536ff992f7d26fe9d1 (patch)
tree	0c1fc8a9c5f393a08cd34c6c02544643eaf0681d /drivers/net/hamradio/baycom_ser_fdx.c
parent	4456ed04ea44b800d691b18c14a68ec9894d2aca (diff)
download	linux-4a92602aa1cd5bbaeedbd9536ff992f7d26fe9d1.tar.xz

openvswitch: allow management from inside user namespaces

Operations with the GENL_ADMIN_PERM flag fail permissions checks because this flag means we call netlink_capable, which uses the init user ns. Instead, let's introduce a new flag, GENL_UNS_ADMIN_PERM for operations which should be allowed inside a user namespace. The motivation for this is to be able to run openvswitch in unprivileged containers. I've tested this and it seems to work, but I really have no idea about the security consequences of this patch, so thoughts would be much appreciated. v2: use the GENL_UNS_ADMIN_PERM flag instead of a check in each function v3: use separate ifs for UNS_ADMIN_PERM and ADMIN_PERM, instead of one massive one Reported-by: James Page <james.page@canonical.com> Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> CC: Eric Biederman <ebiederm@xmission.com> CC: Pravin Shelar <pshelar@ovn.org> CC: Justin Pettit <jpettit@nicira.com> CC: "David S. Miller" <davem@davemloft.net> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'drivers/net/hamradio/baycom_ser_fdx.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: