[PATCH net-next 3/4] netns: bridge: allow unprivileged users add/delete mdb entry
Matt Helsley
matthltc at linux.vnet.ibm.com
Fri Feb 1 04:11:10 UTC 2013
On Fri, Feb 01, 2013 at 11:59:03AM +0800, Gao feng wrote:
> On 2013/02/01 11:46, Matt Helsley wrote:
> > On Fri, Feb 01, 2013 at 10:30:59AM +0800, Gao feng wrote:
> >> since the mdb table is belong to bridge device,and the
> >> bridge device can only be seen in one netns.
> >> So it's safe to allow unprivileged user which is the
> >> creator of userns and netns to modify the mdb table.
> >>
> >> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> >> ---
> >> net/bridge/br_mdb.c | 3 ---
> >> 1 file changed, 3 deletions(-)
> >>
> >> diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
> >> index acc9f4c..38991e0 100644
> >> --- a/net/bridge/br_mdb.c
> >> +++ b/net/bridge/br_mdb.c
> >> @@ -272,9 +272,6 @@ static int br_mdb_parse(struct sk_buff *skb, struct nlmsghdr *nlh,
> >> struct net_device *dev;
> >> int err;
> >>
> >> - if (!capable(CAP_NET_ADMIN))
> >> - return -EPERM;
> >> -
> >
> > I'm wondering why this doesn't follow the:
> >
> > ...
> > - if (!capable(CAP_NET_ADMIN))
> > + if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
> >
> > pattern like the rest of the changes you provided. Perhaps I'm
> > neglecting something but it looks wrong to remove the CAP_NET_ADMIN
> > check entirely.
> >
>
> rtnetlink_rcv_msg has done this job,in commit dfc47ef8639facd77210e74be831943c2fdd9c74
> Eric change capable to ns_capable in rtnetlink_rcv_msg and Push capable(CAP_NET_ADMIN)
> into the rtnl methods.So we only need to do is remove this capable in br_mdb_parse.
>
> Thanks!
OK, thanks!
Cheers,
-Matt
More information about the Containers
mailing list