[PATCH] user_ns: Use nsown_capable instead of capable in net_ctl_permissions

Huang Qiang h.huangqiang at huawei.com
Tue Jul 24 11:05:01 UTC 2012


From: Zhao Hongjiang <zhaohongjiang at huawei.com>

HI:
When I use an unprivileged user exec the following command:
# nsexec -cUn /bin/bash
to create a container with new user_ns and net_ns.

Then I exec "echo 4096 4096 4096 > /proc/sys/net/ipv4/tcp_mem",
the result is Permission Denied which we hope it should be allowed.

It is because of capable(CAP_NET_ADMIN).

Even my unprivileged user have the CAP_NET_ADMIN in the new user_ns and the
tcp_mem is belong to the new net_ns, the capable(CAP_NET_ADMIN) checking is
that this must in the init_user_ns, so the result is the network administrator
can't have the same access as root.

Use nsown_capable(...) the problem is solved.

PS: I changed lxc almostly like what serge done, then use an unprivileged user
to start a container, several Permission Denied occur(such as mount), all this
is caused by capabale(...), when i use nsown_capable(...) the container is
running like everything is ok.
Is this capabale() methed is obsolete? If so, i'll send a new patch to solve
all this problems.

Signed-off-by: Zhao Hongjiang<zhaohongjiang at huawei.com>
Signed-off-by: Huang Qiang <h.huangqiang at huawei.com>
---
 net/sysctl_net.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index c3e65ae..ee31777 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -47,7 +47,7 @@ static int net_ctl_permissions(struct ctl_table_root *root,
 			       struct ctl_table *table)
 {
 	/* Allow network administrator to have same access as root. */
-	if (capable(CAP_NET_ADMIN)) {
+	if (nsown_capable(CAP_NET_ADMIN)) {
 		int mode = (table->mode >> 6) & 7;
 		return (mode << 6) | (mode << 3) | mode;
 	}
-- 
1.7.1



More information about the Containers mailing list