This patch removes the check for CAP_NET_ADMIN in the initial namespace
when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
namespace the net namespace was created so that /dev/ppp cat get opened
in a unprivileged container.

Cc: Hannes Frederic Sowa <han...@stressinduktion.org>
Cc: Richard Weinberger <richard.weinber...@gmail.com>
Cc: Guillaume Nault <g.na...@alphalink.fr>
Cc: Miao Wang <shankerwangm...@gmail.com>
Signed-off-by: Miao Wang <miao.w...@tuna.tsinghua.edu.cn>
---
drivers/net/ppp/ppp_generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index f572b31..4b3b2b5 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
        /*
         * This could (should?) be enforced by the permissions on /dev/ppp.
         */
-       if (!capable(CAP_NET_ADMIN))
+       if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
                return -EPERM;
        return 0;
}
-- 
2.5.2


Reply via email to