lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 08 Apr 2020 14:31:17 -0700 (PDT)
From:   David Miller <davem@...emloft.net>
To:     michael.weiss@...ec.fraunhofer.de
Cc:     kuba@...nel.org, netdev@...r.kernel.org
Subject: Re: [PATCH] l2tp: Allow management of tunnels and session in user
 namespace

From: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
Date: Tue,  7 Apr 2020 13:11:48 +0200

> Creation and management of L2TPv3 tunnels and session through netlink
> requires CAP_NET_ADMIN. However, a process with CAP_NET_ADMIN in a
> non-initial user namespace gets an EPERM due to the use of the
> genetlink GENL_ADMIN_PERM flag. Thus, management of L2TP VPNs inside
> an unprivileged container won't work.
> 
> We replaced the GENL_ADMIN_PERM by the GENL_UNS_ADMIN_PERM flag
> similar to other network modules which also had this problem, e.g.,
> openvswitch (commit 4a92602aa1cd "openvswitch: allow management from
> inside user namespaces") and nl80211 (commit 5617c6cd6f844 "nl80211:
> Allow privileged operations from user namespaces").
> 
> I tested this in the container runtime trustm3 (trustm3.github.io)
> and was able to create l2tp tunnels and sessions in unpriviliged
> (user namespaced) containers using a private network namespace.
> For other runtimes such as docker or lxc this should work, too.
> 
> Signed-off-by: Michael Weiß <michael.weiss@...ec.fraunhofer.de>

Applied, thank you.

Powered by blists - more mailing lists