This patch removes the check for CAP_NET_ADMIN in the initial namespace when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user namespace the net namespace was created so that /dev/ppp cat get opened in a unprivileged container.
Cc: Hannes Frederic Sowa <han...@stressinduktion.org> Cc: Richard Weinberger <richard.weinber...@gmail.com> Cc: Guillaume Nault <g.na...@alphalink.fr> Cc: Miao Wang <shankerwangm...@gmail.com> Signed-off-by: Miao Wang <shan...@tuna.tsinghua.edu.cn> --- drivers/net/ppp/ppp_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index f572b31..4b3b2b5 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file) /* * This could (should?) be enforced by the permissions on /dev/ppp. */ - if (!capable(CAP_NET_ADMIN)) + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN)) return -EPERM; return 0; } -- 2.5.2