diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2012-06-14 05:31:10 -0400 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-19 01:46:23 -0500 |
| commit | 038e7332b8d4c0629a2965e3ede1a92e8e427bd6 (patch) | |
| tree | 3c449f3ea38036322da200533a75f8835191ed68 /include/net | |
| parent | d727abcb2355566a3372ee1810f156fba75112b7 (diff) | |
userns: make each net (net_ns) belong to a user_ns
The user namespace which creates a new network namespace owns that
namespace and all resources created in it. This way we can target
capability checks for privileged operations against network resources to
the user_ns which created the network namespace in which the resource
lives. Privilege to the user namespace which owns the network
namespace, or any parent user namespace thereof, provides the same
privilege to the network resource.
This patch is reworked from a version originally by
Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/net_namespace.h | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index 32dcb6085ebe..c5a43f56b796 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h | |||
| @@ -23,6 +23,7 @@ | |||
| 23 | #endif | 23 | #endif |
| 24 | #include <net/netns/xfrm.h> | 24 | #include <net/netns/xfrm.h> |
| 25 | 25 | ||
| 26 | struct user_namespace; | ||
| 26 | struct proc_dir_entry; | 27 | struct proc_dir_entry; |
| 27 | struct net_device; | 28 | struct net_device; |
| 28 | struct sock; | 29 | struct sock; |
| @@ -53,6 +54,8 @@ struct net { | |||
| 53 | struct list_head cleanup_list; /* namespaces on death row */ | 54 | struct list_head cleanup_list; /* namespaces on death row */ |
| 54 | struct list_head exit_list; /* Use only net_mutex */ | 55 | struct list_head exit_list; /* Use only net_mutex */ |
| 55 | 56 | ||
| 57 | struct user_namespace *user_ns; /* Owning user namespace */ | ||
| 58 | |||
| 56 | struct proc_dir_entry *proc_net; | 59 | struct proc_dir_entry *proc_net; |
| 57 | struct proc_dir_entry *proc_net_stat; | 60 | struct proc_dir_entry *proc_net_stat; |
| 58 | 61 | ||
| @@ -127,12 +130,14 @@ struct net { | |||
| 127 | extern struct net init_net; | 130 | extern struct net init_net; |
| 128 | 131 | ||
| 129 | #ifdef CONFIG_NET_NS | 132 | #ifdef CONFIG_NET_NS |
| 130 | extern struct net *copy_net_ns(unsigned long flags, struct net *net_ns); | 133 | extern struct net *copy_net_ns(unsigned long flags, |
| 134 | struct user_namespace *user_ns, struct net *old_net); | ||
| 131 | 135 | ||
| 132 | #else /* CONFIG_NET_NS */ | 136 | #else /* CONFIG_NET_NS */ |
| 133 | #include <linux/sched.h> | 137 | #include <linux/sched.h> |
| 134 | #include <linux/nsproxy.h> | 138 | #include <linux/nsproxy.h> |
| 135 | static inline struct net *copy_net_ns(unsigned long flags, struct net *old_net) | 139 | static inline struct net *copy_net_ns(unsigned long flags, |
| 140 | struct user_namespace *user_ns, struct net *old_net) | ||
| 136 | { | 141 | { |
| 137 | if (flags & CLONE_NEWNET) | 142 | if (flags & CLONE_NEWNET) |
| 138 | return ERR_PTR(-EINVAL); | 143 | return ERR_PTR(-EINVAL); |