net: Allow userns root to control tun and tap devices

Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) calls to
ns_capable(net->user_ns,CAP_NET_ADMIN) calls.

Allow setting of the tun iff flags.
Allow creating of tun devices.
Allow adding a new queue to a tun device.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 3 insertions, 2 deletions

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index b44d7b79cddc..b01e8c0c422b 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -373,10 +373,11 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb)
 static inline bool tun_not_capable(struct tun_struct *tun)
 {
         const struct cred *cred = current_cred();
+        struct net *net = dev_net(tun->dev);
 
         return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) ||
                   (gid_valid(tun->group) && !in_egroup_p(tun->group))) &&
-                !capable(CAP_NET_ADMIN);
+                !ns_capable(net->user_ns, CAP_NET_ADMIN);
 }
 
 static void tun_set_real_num_queues(struct tun_struct *tun)
@@ -1559,7 +1560,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
                 char *name;
                 unsigned long flags = 0;
 
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                         return -EPERM;
                 err = security_tun_dev_create();
                 if (err < 0)