diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-15 22:03:08 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-11-18 20:33:00 -0500 |
| commit | cb99050305f0ffed0d0ee0d95f1d6645af4d3237 (patch) | |
| tree | e9e215981cf3ad1487c5d5ede58bc34c0f97ddb1 /net/bridge/br_sysfs_br.c | |
| parent | df008c91f83583e662ac54aee00004afc3f1894d (diff) | |
net: Allow userns root to control the network bridge code.
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.
Allow setting bridge paramters via sysfs.
Allow all of the bridge ioctls:
BRCTL_ADD_IF
BRCTL_DEL_IF
BRCTL_SET_BRDIGE_FORWARD_DELAY
BRCTL_SET_BRIDGE_HELLO_TIME
BRCTL_SET_BRIDGE_MAX_AGE
BRCTL_SET_BRIDGE_AGING_TIME
BRCTL_SET_BRIDGE_STP_STATE
BRCTL_SET_BRIDGE_PRIORITY
BRCTL_SET_PORT_PRIORITY
BRCTL_SET_PATH_COST
BRCTL_ADD_BRIDGE
BRCTL_DEL_BRDIGE
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bridge/br_sysfs_br.c')
| -rw-r--r-- | net/bridge/br_sysfs_br.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c index cffb76e2161c..5913a3a0047b 100644 --- a/net/bridge/br_sysfs_br.c +++ b/net/bridge/br_sysfs_br.c | |||
| @@ -37,7 +37,7 @@ static ssize_t store_bridge_parm(struct device *d, | |||
| 37 | unsigned long val; | 37 | unsigned long val; |
| 38 | int err; | 38 | int err; |
| 39 | 39 | ||
| 40 | if (!capable(CAP_NET_ADMIN)) | 40 | if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN)) |
| 41 | return -EPERM; | 41 | return -EPERM; |
| 42 | 42 | ||
| 43 | val = simple_strtoul(buf, &endp, 0); | 43 | val = simple_strtoul(buf, &endp, 0); |
| @@ -133,7 +133,7 @@ static ssize_t store_stp_state(struct device *d, | |||
| 133 | char *endp; | 133 | char *endp; |
| 134 | unsigned long val; | 134 | unsigned long val; |
| 135 | 135 | ||
| 136 | if (!capable(CAP_NET_ADMIN)) | 136 | if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN)) |
| 137 | return -EPERM; | 137 | return -EPERM; |
| 138 | 138 | ||
| 139 | val = simple_strtoul(buf, &endp, 0); | 139 | val = simple_strtoul(buf, &endp, 0); |
| @@ -166,7 +166,7 @@ static ssize_t store_group_fwd_mask(struct device *d, | |||
| 166 | char *endp; | 166 | char *endp; |
| 167 | unsigned long val; | 167 | unsigned long val; |
| 168 | 168 | ||
| 169 | if (!capable(CAP_NET_ADMIN)) | 169 | if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN)) |
| 170 | return -EPERM; | 170 | return -EPERM; |
| 171 | 171 | ||
| 172 | val = simple_strtoul(buf, &endp, 0); | 172 | val = simple_strtoul(buf, &endp, 0); |
| @@ -301,7 +301,7 @@ static ssize_t store_group_addr(struct device *d, | |||
| 301 | u8 new_addr[6]; | 301 | u8 new_addr[6]; |
| 302 | int i; | 302 | int i; |
| 303 | 303 | ||
| 304 | if (!capable(CAP_NET_ADMIN)) | 304 | if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN)) |
| 305 | return -EPERM; | 305 | return -EPERM; |
| 306 | 306 | ||
| 307 | if (sscanf(buf, "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx", | 307 | if (sscanf(buf, "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx", |
| @@ -333,7 +333,7 @@ static ssize_t store_flush(struct device *d, | |||
| 333 | { | 333 | { |
| 334 | struct net_bridge *br = to_bridge(d); | 334 | struct net_bridge *br = to_bridge(d); |
| 335 | 335 | ||
| 336 | if (!capable(CAP_NET_ADMIN)) | 336 | if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN)) |
| 337 | return -EPERM; | 337 | return -EPERM; |
| 338 | 338 | ||
| 339 | br_fdb_flush(br); | 339 | br_fdb_flush(br); |