lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20130201041110.GA5829@us.ibm.com>
Date:	Thu, 31 Jan 2013 20:11:10 -0800
From:	Matt Helsley <matthltc@...ux.vnet.ibm.com>
To:	Gao feng <gaofeng@...fujitsu.com>
Cc:	Matt Helsley <matthltc@...ux.vnet.ibm.com>, amwang@...hat.com,
	netdev@...r.kernel.org, containers@...ts.linux-foundation.org,
	ebiederm@...ssion.com, davem@...emloft.net, pablo@...filter.org
Subject: Re: [PATCH net-next 3/4] netns: bridge: allow unprivileged users
 add/delete mdb entry

On Fri, Feb 01, 2013 at 11:59:03AM +0800, Gao feng wrote:
> On 2013/02/01 11:46, Matt Helsley wrote:
> > On Fri, Feb 01, 2013 at 10:30:59AM +0800, Gao feng wrote:
> >> since the mdb table is belong to bridge device,and the
> >> bridge device can only be seen in one netns.
> >> So it's safe to allow unprivileged user which is the
> >> creator of userns and netns to modify the mdb table.
> >>
> >> Signed-off-by: Gao feng <gaofeng@...fujitsu.com>
> >> ---
> >>  net/bridge/br_mdb.c | 3 ---
> >>  1 file changed, 3 deletions(-)
> >>
> >> diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
> >> index acc9f4c..38991e0 100644
> >> --- a/net/bridge/br_mdb.c
> >> +++ b/net/bridge/br_mdb.c
> >> @@ -272,9 +272,6 @@ static int br_mdb_parse(struct sk_buff *skb, struct nlmsghdr *nlh,
> >>  	struct net_device *dev;
> >>  	int err;
> >>
> >> -	if (!capable(CAP_NET_ADMIN))
> >> -		return -EPERM;
> >> -
> > 
> > I'm wondering why this doesn't follow the:
> > 
> > ...
> > - if (!capable(CAP_NET_ADMIN))
> > + if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
> > 
> > pattern like the rest of the changes you provided. Perhaps I'm
> > neglecting something but it looks wrong to remove the CAP_NET_ADMIN
> > check entirely.
> > 
> 
> rtnetlink_rcv_msg has done this job,in commit dfc47ef8639facd77210e74be831943c2fdd9c74
> Eric change capable to ns_capable in rtnetlink_rcv_msg and Push capable(CAP_NET_ADMIN)
> into the rtnl methods.So we only need to do is remove this capable in br_mdb_parse.
> 
> Thanks!

OK, thanks!

Cheers,
	-Matt

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ