| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <15AED149-BC4D-4B8F-B173-3F652A46FA35@tuna.tsinghua.edu.cn> Date: Sun, 19 Jun 2016 07:21:27 +0200 From: Shanker Wang <miao.wang@...a.tsinghua.edu.cn> To: netdev@...r.kernel.org Cc: Hannes Frederic Sowa <hannes@...essinduktion.org>, Richard Weinberger <richard.weinberger@...il.com>, Guillaume Nault <g.nault@...halink.fr>, 王邈 <shankerwangmiao@...il.com> Subject: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp This patch removes the check for CAP_NET_ADMIN in the initial namespace when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user namespace the net namespace was created so that /dev/ppp cat get opened in a unprivileged container. Cc: Hannes Frederic Sowa <hannes@...essinduktion.org> Cc: Richard Weinberger <richard.weinberger@...il.com> Cc: Guillaume Nault <g.nault@...halink.fr> Cc: Miao Wang <shankerwangmiao@...il.com> Signed-off-by: Miao Wang <miao.wang@...a.tsinghua.edu.cn> --- drivers/net/ppp/ppp_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index f572b31..4b3b2b5 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file) /* * This could (should?) be enforced by the permissions on /dev/ppp. */ - if (!capable(CAP_NET_ADMIN)) + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN)) return -EPERM; return 0; } -- 2.5.2
Powered by blists - more mailing lists