This patch removes the check for CAP_NET_ADMIN in the initial namespace when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user namespace the net namespace was created so that /dev/ppp cat get opened in a unprivileged container.
Cc: Hannes Frederic Sowa <[email protected]> Cc: Richard Weinberger <[email protected]> Cc: Guillaume Nault <[email protected]> Cc: Miao Wang <[email protected]> Signed-off-by: Miao Wang <[email protected]> --- drivers/net/ppp/ppp_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index f572b31..4b3b2b5 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file) /* * This could (should?) be enforced by the permissions on /dev/ppp. */ - if (!capable(CAP_NET_ADMIN)) + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN)) return -EPERM; return 0; } -- 2.5.2
