[prev in list] [next in list] [prev in thread] [next in thread]
List: openvz-devel
Subject: [Devel] [PATCH 05/14] ve/netfilter/cred: add ve_capable to check capabilities relative to the curren
From: Alexander Mikhalitsyn <alexander.mikhalitsyn () virtuozzo ! com>
Date: 2021-04-30 12:45:33
Message-ID: 20210430124542.464867-6-alexander.mikhalitsyn () virtuozzo ! com
[Download RAW message or body]
From: Konstantin Khorenko <khorenko@virtuozzo.com>
We want to allow a few operations in VE. Currently we use nsown_capable,
but it's wrong, because in this case we allow these operations in any
user namespace.
v2: take ve0->cred if the currect ve isn't running
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavydov@virtuozzo.com>
(cherry picked from commit d14ac53542dcea9e8db67b3f989a57e42b0de093)
VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
---
net/netfilter/nf_sockopt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index 024959f478da..83358cfefdb7 100644
--- a/net/netfilter/nf_sockopt.c
+++ b/net/netfilter/nf_sockopt.c
@@ -112,7 +112,7 @@ static int ve0_load_sockopt_module(struct net *net, u8 pf, int val, int get)
const char *name;
int ret = -EPERM;
- if (!capable(CAP_NET_ADMIN))
+ if (!ve_capable(CAP_NET_ADMIN))
goto out;
if (sockopt_module_fits(pf, val, get, PF_INET,
--
2.28.0
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic