The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.8.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-229.7.2.vz7.6.8 ------> commit ddcb719bd3e3ea79056bcc74db038c3c5d0e10a1 Author: Andrew Vagin <ava...@openvz.org> Date: Tue Sep 8 12:50:24 2015 +0400
Revert "ve/net: allow containers create bridges with CAP_VE_NET_ADMIN" This reverts commit 52b6df12cf62fc92edadcec3860f6418d4d8333e. https://jira.sw.ru/browse/PSBM-39077 Signed-off-by: Andrew Vagin <ava...@virtuozzo.com> Reviewed-by: Vladimir Davydov <vdavy...@virtuozzo.com> --- net/bridge/br_ioctl.c | 33 +++++++++++---------------------- net/core/dev_ioctl.c | 8 ++++---- 2 files changed, 15 insertions(+), 26 deletions(-) diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c index 45c4c22..98447b8 100644 --- a/net/bridge/br_ioctl.c +++ b/net/bridge/br_ioctl.c @@ -89,8 +89,7 @@ static int add_del_if(struct net_bridge *br, int ifindex, int isadd) struct net_device *dev; int ret; - if (!ns_capable(net->user_ns, CAP_NET_ADMIN) && - !ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) return -EPERM; dev = __dev_get_by_index(net, ifindex); @@ -180,29 +179,25 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) } case BRCTL_SET_BRIDGE_FORWARD_DELAY: - if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) && - !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) return -EPERM; return br_set_forward_delay(br, args[1]); case BRCTL_SET_BRIDGE_HELLO_TIME: - if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) && - !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) return -EPERM; return br_set_hello_time(br, args[1]); case BRCTL_SET_BRIDGE_MAX_AGE: - if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) && - !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) return -EPERM; return br_set_max_age(br, args[1]); case BRCTL_SET_AGEING_TIME: - if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) && - !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) return -EPERM; br->ageing_time = clock_t_to_jiffies(args[1]); @@ -242,16 +237,14 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) } case BRCTL_SET_BRIDGE_STP_STATE: - if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) && - !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) return -EPERM; br_stp_set_enabled(br, args[1]); return 0; case BRCTL_SET_BRIDGE_PRIORITY: - if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) && - !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) return -EPERM; spin_lock_bh(&br->lock); @@ -264,8 +257,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) struct net_bridge_port *p; int ret; - if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) && - !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) return -EPERM; spin_lock_bh(&br->lock); @@ -282,8 +274,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) struct net_bridge_port *p; int ret; - if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) && - !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) return -EPERM; spin_lock_bh(&br->lock); @@ -340,8 +331,7 @@ static int old_deviceless(struct net *net, void __user *uarg) { char buf[IFNAMSIZ]; - if (!ns_capable(net->user_ns, CAP_NET_ADMIN) && - !ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) return -EPERM; if (copy_from_user(buf, (void __user *)args[1], IFNAMSIZ)) @@ -374,8 +364,7 @@ int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *uar { char buf[IFNAMSIZ]; - if (!ns_capable(net->user_ns, CAP_NET_ADMIN) && - !ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) return -EPERM; if (copy_from_user(buf, uarg, IFNAMSIZ)) diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c index 021681b..77df687 100644 --- a/net/core/dev_ioctl.c +++ b/net/core/dev_ioctl.c @@ -502,13 +502,9 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) * - do not return a value */ case SIOCSIFMAP: - case SIOCSIFSLAVE: case SIOCSIFMTU: case SIOCSIFHWADDR: case SIOCSIFFLAGS: - case SIOCSIFMETRIC: - case SIOCBRADDIF: - case SIOCBRDELIF: if (!ns_capable(net->user_ns, CAP_NET_ADMIN) && !ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) return -EPERM; @@ -518,6 +514,8 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) rtnl_unlock(); return ret; + case SIOCSIFMETRIC: + case SIOCSIFSLAVE: case SIOCADDMULTI: case SIOCDELMULTI: case SIOCSIFHWBROADCAST: @@ -526,6 +524,8 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg) case SIOCBONDRELEASE: case SIOCBONDSETHWADDR: case SIOCBONDCHANGEACTIVE: + case SIOCBRADDIF: + case SIOCBRDELIF: case SIOCSHWTSTAMP: if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) return -EPERM; _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel