lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <510B3D87.6050908@cn.fujitsu.com>
Date:	Fri, 01 Feb 2013 11:59:03 +0800
From:	Gao feng <gaofeng@...fujitsu.com>
To:	Matt Helsley <matthltc@...ux.vnet.ibm.com>
CC:	davem@...emloft.net, amwang@...hat.com, netdev@...r.kernel.org,
	containers@...ts.linux-foundation.org, ebiederm@...ssion.com,
	pablo@...filter.org
Subject: Re: [PATCH net-next 3/4] netns: bridge: allow unprivileged users
 add/delete mdb entry

On 2013/02/01 11:46, Matt Helsley wrote:
> On Fri, Feb 01, 2013 at 10:30:59AM +0800, Gao feng wrote:
>> since the mdb table is belong to bridge device,and the
>> bridge device can only be seen in one netns.
>> So it's safe to allow unprivileged user which is the
>> creator of userns and netns to modify the mdb table.
>>
>> Signed-off-by: Gao feng <gaofeng@...fujitsu.com>
>> ---
>>  net/bridge/br_mdb.c | 3 ---
>>  1 file changed, 3 deletions(-)
>>
>> diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
>> index acc9f4c..38991e0 100644
>> --- a/net/bridge/br_mdb.c
>> +++ b/net/bridge/br_mdb.c
>> @@ -272,9 +272,6 @@ static int br_mdb_parse(struct sk_buff *skb, struct nlmsghdr *nlh,
>>  	struct net_device *dev;
>>  	int err;
>>
>> -	if (!capable(CAP_NET_ADMIN))
>> -		return -EPERM;
>> -
> 
> I'm wondering why this doesn't follow the:
> 
> ...
> - if (!capable(CAP_NET_ADMIN))
> + if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
> 
> pattern like the rest of the changes you provided. Perhaps I'm
> neglecting something but it looks wrong to remove the CAP_NET_ADMIN
> check entirely.
> 

rtnetlink_rcv_msg has done this job,in commit dfc47ef8639facd77210e74be831943c2fdd9c74
Eric change capable to ns_capable in rtnetlink_rcv_msg and Push capable(CAP_NET_ADMIN)
into the rtnl methods.So we only need to do is remove this capable in br_mdb_parse.

Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ