| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 08 Apr 2020 14:31:17 -0700 (PDT) From: David Miller <davem@...emloft.net> To: michael.weiss@...ec.fraunhofer.de Cc: kuba@...nel.org, netdev@...r.kernel.org Subject: Re: [PATCH] l2tp: Allow management of tunnels and session in user namespace From: Michael Weiß <michael.weiss@...ec.fraunhofer.de> Date: Tue, 7 Apr 2020 13:11:48 +0200 > Creation and management of L2TPv3 tunnels and session through netlink > requires CAP_NET_ADMIN. However, a process with CAP_NET_ADMIN in a > non-initial user namespace gets an EPERM due to the use of the > genetlink GENL_ADMIN_PERM flag. Thus, management of L2TP VPNs inside > an unprivileged container won't work. > > We replaced the GENL_ADMIN_PERM by the GENL_UNS_ADMIN_PERM flag > similar to other network modules which also had this problem, e.g., > openvswitch (commit 4a92602aa1cd "openvswitch: allow management from > inside user namespaces") and nl80211 (commit 5617c6cd6f844 "nl80211: > Allow privileged operations from user namespaces"). > > I tested this in the container runtime trustm3 (trustm3.github.io) > and was able to create l2tp tunnels and sessions in unpriviliged > (user namespaced) containers using a private network namespace. > For other runtimes such as docker or lxc this should work, too. > > Signed-off-by: Michael Weiß <michael.weiss@...ec.fraunhofer.de> Applied, thank you.
Powered by blists - more mailing lists