Am 19.06.2016 um 07:21 schrieb Shanker Wang: > This patch removes the check for CAP_NET_ADMIN in the initial namespace > when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user > namespace the net namespace was created so that /dev/ppp cat get opened > in a unprivileged container. > > Cc: Hannes Frederic Sowa <han...@stressinduktion.org> > Cc: Richard Weinberger <richard.weinber...@gmail.com> > Cc: Guillaume Nault <g.na...@alphalink.fr> > Cc: Miao Wang <shankerwangm...@gmail.com> > Signed-off-by: Miao Wang <miao.w...@tuna.tsinghua.edu.cn> > --- > drivers/net/ppp/ppp_generic.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c > index f572b31..4b3b2b5 100644 > --- a/drivers/net/ppp/ppp_generic.c > +++ b/drivers/net/ppp/ppp_generic.c > @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file > *file) > /* > * This could (should?) be enforced by the permissions on /dev/ppp. > */ > - if (!capable(CAP_NET_ADMIN)) > + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN)) > return -EPERM;
Shouldn't this be a ns_capable(net->user_ns, ...? Otherwise an user can create a new user_ns followed by a new net_ns and has CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the net_ns which belongs to the ppp net device which you want to open. Thanks, //richard
