lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 19 Jun 2016 07:21:27 +0200
From:	Shanker Wang <>
Cc:	Hannes Frederic Sowa <>,
	Richard Weinberger <>,
	Guillaume Nault <>,
	王邈 <>
Subject: [PATCH] net:ppp: replace too strict capability restriction on opening  /dev/ppp

This patch removes the check for CAP_NET_ADMIN in the initial namespace
when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
namespace the net namespace was created so that /dev/ppp cat get opened
in a unprivileged container.

Cc: Hannes Frederic Sowa <>
Cc: Richard Weinberger <>
Cc: Guillaume Nault <>
Cc: Miao Wang <>
Signed-off-by: Miao Wang <>
drivers/net/ppp/ppp_generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index f572b31..4b3b2b5 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
	 * This could (should?) be enforced by the permissions on /dev/ppp.
-	if (!capable(CAP_NET_ADMIN))
+	if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
		return -EPERM;
	return 0;

Powered by blists - more mailing lists