netfilter: Basic ve transformations"

Andrew Vagin Wed, 02 Sep 2015 07:30:45 -0700

Signed-off-by: Andrew Vagin <ava...@openvz.org>
---
 net/ipv4/netfilter/ip_tables.c  |   12 ++++--------
 net/ipv6/netfilter/ip6_tables.c |   12 ++++--------
 2 files changed, 8 insertions(+), 16 deletions(-)


diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 31eda61..bbcb355 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1861,8 +1861,7 @@ compat_do_ipt_set_ctl(struct sock *sk,    int cmd, void 
__user *user,
        struct user_namespace *user_ns = sock_net(sk)->user_ns;
        int ret;
 
-       if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
-           !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+       if (!ns_capable(user_ns, CAP_NET_ADMIN))
                return -EPERM;
 
        switch (cmd) {
@@ -1977,8 +1976,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void 
__user *user, int *len)
        struct user_namespace *user_ns = sock_net(sk)->user_ns;
        int ret;
 
-       if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
-           !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+       if (!ns_capable(user_ns, CAP_NET_ADMIN))
                return -EPERM;
 
        switch (cmd) {
@@ -2001,8 +1999,7 @@ do_ipt_set_ctl(struct sock *sk, int cmd, void __user 
*user, unsigned int len)
        struct user_namespace *user_ns = sock_net(sk)->user_ns;
        int ret;
 
-       if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
-           !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+       if (!ns_capable(user_ns, CAP_NET_ADMIN))
                return -EPERM;
 
        switch (cmd) {
@@ -2028,8 +2025,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user 
*user, int *len)
        struct user_namespace *user_ns = sock_net(sk)->user_ns;
        int ret;
 
-       if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
-           !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+       if (!ns_capable(user_ns, CAP_NET_ADMIN))
                return -EPERM;
 
        switch (cmd) {
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 0f370a4..8eaf33d 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1867,8 +1867,7 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void 
__user *user,
        struct user_namespace *user_ns = sock_net(sk)->user_ns;
        int ret;
 
-       if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
-           !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+       if (!ns_capable(user_ns, CAP_NET_ADMIN))
                return -EPERM;
 
        switch (cmd) {
@@ -1984,8 +1983,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void 
__user *user, int *len)
        struct user_namespace *user_ns = sock_net(sk)->user_ns;
        int ret;
 
-       if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
-           !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+       if (!ns_capable(user_ns, CAP_NET_ADMIN))
                return -EPERM;
 
        switch (cmd) {
@@ -2008,8 +2006,7 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, void __user 
*user, unsigned int len)
        struct user_namespace *user_ns = sock_net(sk)->user_ns;
        int ret;
 
-       if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
-           !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+       if (!ns_capable(user_ns, CAP_NET_ADMIN))
                return -EPERM;
 
        switch (cmd) {
@@ -2035,8 +2032,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user 
*user, int *len)
        struct user_namespace *user_ns = sock_net(sk)->user_ns;
        int ret;
 
-       if (!ns_capable(user_ns, CAP_NET_ADMIN) &&
-           !ns_capable(user_ns, CAP_VE_NET_ADMIN))
+       if (!ns_capable(user_ns, CAP_NET_ADMIN))
                return -EPERM;
 
        switch (cmd) {
-- 
1.7.1

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH 4/7] net: remove CAP_VE_NET_ADMIN from "ve/netfilter: Basic ve transformations"

Reply via email to