aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_user.c
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-11-15 22:03:07 -0500
committerDavid S. Miller <davem@davemloft.net>2012-11-18 20:32:45 -0500
commitdf008c91f83583e662ac54aee00004afc3f1894d (patch)
tree800fd831c5beb1c4ec00b41d270462d52973a425 /net/xfrm/xfrm_user.c
parentaf31f412c7c7a3c0fda4bf4beaf0c85af1f263c8 (diff)
net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm
Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Allow creation of af_key sockets. Allow creation of llc sockets. Allow creation of af_packet sockets. Allow sending xfrm netlink control messages. Allow binding to netlink multicast groups. Allow sending to netlink multicast groups. Allow adding and dropping netlink multicast groups. Allow sending to all netlink multicast groups and port ids. Allow reading the netfilter SO_IP_SET socket option. Allow sending netfilter netlink messages. Allow setting and getting ip_vs netfilter socket options. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_user.c')
-rw-r--r--net/xfrm/xfrm_user.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 421f98444335..eb872b2e366e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2349,7 +2349,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2349 link = &xfrm_dispatch[type]; 2349 link = &xfrm_dispatch[type];
2350 2350
2351 /* All operations require privileges, even GET */ 2351 /* All operations require privileges, even GET */
2352 if (!capable(CAP_NET_ADMIN)) 2352 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
2353 return -EPERM; 2353 return -EPERM;
2354 2354
2355 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || 2355 if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||