Signed-off-by: Andrew Vagin <ava...@openvz.org>
---
ipc/util.c | 2 +-
kernel/nsproxy.c | 3 +--
kernel/sys.c | 4 ++--
net/core/dev_ioctl.c | 6 ++----
net/core/ethtool.c | 3 +--
net/core/rtnetlink.c | 3 +--
net/core/scm.c | 2 +-
net/decnet/netfilter/dn_rtmsg.c | 3 +--
net/ipv4/arp.c | 3 +--
net/ipv4/devinet.c | 6 ++----
net/ipv4/fib_frontend.c | 2 +-
net/ipv4/ip_sockglue.c | 3 +--
net/ipv4/ip_tunnel.c | 6 ++----
net/ipv6/addrconf.c | 4 ++--
net/ipv6/ip6_tunnel.c | 6 ++----
net/ipv6/route.c | 2 +-
net/ipv6/sit.c | 9 +++------
net/key/af_key.c | 3 +--
net/netfilter/nfnetlink.c | 3 +--
net/netlink/af_netlink.c | 1 -
net/netlink/genetlink.c | 3 +--
net/xfrm/xfrm_user.c | 3 +--
22 files changed, 29 insertions(+), 51 deletions(-)
diff --git a/ipc/util.c b/ipc/util.c
index 795e05f..15e09aa 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -771,7 +771,7 @@ struct kern_ipc_perm *ipcctl_pre_down_nolock(struct
ipc_namespace *ns,
euid = current_euid();
if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid) ||
- ns_capable(ns->user_ns, CAP_VE_SYS_ADMIN))
+ ns_capable(ns->user_ns, CAP_SYS_ADMIN))
return ipcp; /* successful lookup */
err:
return ERR_PTR(err);
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 81402a8..9e1dda3 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -198,8 +198,7 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
return 0;
user_ns = new_cred ? new_cred->user_ns : current_user_ns();
- if (!ns_capable(user_ns, CAP_SYS_ADMIN) &&
- !ns_capable(user_ns, CAP_VE_SYS_ADMIN))
+ if (!ns_capable(user_ns, CAP_SYS_ADMIN))
return -EPERM;
*new_nsp = create_new_namespaces(unshare_flags, current, user_ns,
diff --git a/kernel/sys.c b/kernel/sys.c
index 44f0295..a2d5644 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1604,7 +1604,7 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int,
len)
int errno;
char tmp[__NEW_UTS_LEN];
- if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_VE_SYS_ADMIN))
+ if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
return -EPERM;
if (len < 0 || len > __NEW_UTS_LEN)
@@ -1655,7 +1655,7 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int,
len)
int errno;
char tmp[__NEW_UTS_LEN];
- if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_VE_SYS_ADMIN))
+ if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
return -EPERM;
if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index d407219..5053ad8 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -294,8 +294,7 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr,
unsigned int cmd)
return dev_mc_del_global(dev, ifr->ifr_hwaddr.sa_data);
case SIOCSIFTXQLEN:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (ifr->ifr_qlen < 0)
return -EINVAL;
@@ -502,8 +501,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, void
__user *arg)
case SIOCSIFMTU:
case SIOCSIFHWADDR:
case SIOCSIFFLAGS:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
dev_load(net, ifr.ifr_name);
rtnl_lock();
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index b06f749..07fedd0 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -1649,8 +1649,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
default:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
}
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 0d2df96..105aaf5 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2732,8 +2732,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
sz_idx = type>>2;
kind = type&3;
- if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN) &&
- !netlink_net_capable(skb, CAP_VE_NET_ADMIN))
+ if (kind != 2 && !netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) {
diff --git a/net/core/scm.c b/net/core/scm.c
index acde9e9..b86b05a 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -54,7 +54,7 @@ static __inline__ int scm_check_creds(struct ucred *creds)
if ((creds->pid == task_tgid_vnr(current) ||
creds->pid == current->tgid ||
- ns_capable(task_active_pid_ns(current)->user_ns,
CAP_VE_SYS_ADMIN)) &&
+ ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
((uid_eq(uid, cred->uid) || uid_eq(uid, cred->euid) ||
uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) &&
((gid_eq(gid, cred->gid) || gid_eq(gid, cred->egid) ||
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index b4d2f6c..e4d9560 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -107,8 +107,7 @@ static inline void dnrmg_receive_user_skb(struct sk_buff
*skb)
if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
return;
- if (!netlink_capable(skb, CAP_NET_ADMIN) &&
- !netlink_capable(skb, CAP_VE_NET_ADMIN))
+ if (!netlink_capable(skb, CAP_NET_ADMIN))
RCV_SKB_FAIL(-EPERM);
/* Eventually we might send routing messages too */
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 0867b6c..d2b96c3 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1176,8 +1176,7 @@ int arp_ioctl(struct net *net, unsigned int cmd, void
__user *arg)
switch (cmd) {
case SIOCDARP:
case SIOCSARP:
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
case SIOCGARP:
err = copy_from_user(&r, arg, sizeof(struct arpreq));
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 2fef948..1666af3 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -915,8 +915,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void
__user *arg)
case SIOCSIFFLAGS:
ret = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto out;
break;
case SIOCSIFADDR: /* Set interface address (and family) */
@@ -924,8 +923,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void
__user *arg)
case SIOCSIFDSTADDR: /* Set the destination address */
case SIOCSIFNETMASK: /* Set the netmask for the interface */
ret = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto out;
ret = -EINVAL;
if (sin->sin_family != AF_INET)
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 3ca9753..e5aa8d9 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -487,7 +487,7 @@ int ip_rt_ioctl(struct net *net, unsigned int cmd, void
__user *arg)
switch (cmd) {
case SIOCADDRT: /* Add a route */
case SIOCDELRT: /* Delete a route */
- if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(&rt, arg, sizeof(rt)))
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 8937a62..8d174ce 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1008,8 +1008,7 @@ mc_msf_out:
case IP_IPSEC_POLICY:
case IP_XFRM_POLICY:
err = -EPERM;
- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(sock_net(sk)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
break;
err = xfrm_user_policy(sk, optname, optval, optlen);
break;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 26b9774..b1eeb95 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -726,8 +726,7 @@ int ip_tunnel_ioctl(struct net_device *dev, struct
ip_tunnel_parm *p, int cmd)
case SIOCADDTUNNEL:
case SIOCCHGTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
if (p->iph.ttl)
p->iph.frag_off |= htons(IP_DF);
@@ -781,8 +780,7 @@ int ip_tunnel_ioctl(struct net_device *dev, struct
ip_tunnel_parm *p, int cmd)
case SIOCDELTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
if (dev == itn->fb_tunnel_dev) {
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index cf03581..4745307 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2499,7 +2499,7 @@ int addrconf_add_ifaddr(struct net *net, void __user *arg)
struct in6_ifreq ireq;
int err;
- if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(&ireq, arg, sizeof(struct in6_ifreq)))
@@ -2518,7 +2518,7 @@ int addrconf_del_ifaddr(struct net *net, void __user *arg)
struct in6_ifreq ireq;
int err;
- if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(&ireq, arg, sizeof(struct in6_ifreq)))
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index e28a22f..24825e9 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1368,8 +1368,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr,
int cmd)
case SIOCADDTUNNEL:
case SIOCCHGTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
break;
err = -EFAULT;
if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof (p)))
@@ -1402,8 +1401,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr,
int cmd)
break;
case SIOCDELTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
break;
if (dev == ip6n->fb_tnl_dev) {
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index e7698f3..c0f7be8 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2086,7 +2086,7 @@ int ipv6_route_ioctl(struct net *net, unsigned int cmd,
void __user *arg)
switch(cmd) {
case SIOCADDRT: /* Add a route */
case SIOCDELRT: /* Delete a route */
- if (!ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
err = copy_from_user(&rtmsg, arg,
sizeof(struct in6_rtmsg));
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 0cbb2b2..ffd26c9 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1093,8 +1093,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq
*ifr, int cmd)
case SIOCADDTUNNEL:
case SIOCCHGTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
err = -EFAULT;
@@ -1142,8 +1141,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq
*ifr, int cmd)
case SIOCDELTUNNEL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
if (dev == sitn->fb_tunnel_dev) {
@@ -1176,8 +1174,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq
*ifr, int cmd)
case SIOCDELPRL:
case SIOCCHGPRL:
err = -EPERM;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
goto done;
err = -EINVAL;
if (dev == sitn->fb_tunnel_dev)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index d954db1..66f51c5 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -141,8 +141,7 @@ static int pfkey_create(struct net *net, struct socket
*sock, int protocol,
struct sock *sk;
int err;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (sock->type != SOCK_RAW)
return -ESOCKTNOSUPPORT;
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index e9dca11..d2de992 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -375,8 +375,7 @@ static void nfnetlink_rcv(struct sk_buff *skb)
skb->len < nlh->nlmsg_len)
return;
- if (!netlink_net_capable(skb, CAP_NET_ADMIN) &&
- !netlink_net_capable(skb, CAP_VE_NET_ADMIN)) {
+ if (!netlink_net_capable(skb, CAP_NET_ADMIN)) {
netlink_ack(skb, nlh, -EPERM);
return;
}
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index c258809..ec12d29 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1373,7 +1373,6 @@ EXPORT_SYMBOL(netlink_net_capable);
static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
{
return (nl_table[sock->sk->sk_protocol].flags & flag) ||
- ns_capable(sock_net(sock->sk)->user_ns, CAP_VE_NET_ADMIN) ||
ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
}
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 3c4679c..76393f2 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -557,8 +557,7 @@ static int genl_family_rcv_msg(struct genl_family *family,
return -EOPNOTSUPP;
if ((ops->flags & GENL_ADMIN_PERM) &&
- !netlink_capable(skb, CAP_NET_ADMIN) &&
- !netlink_capable(skb, CAP_VE_NET_ADMIN))
+ !netlink_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if ((nlh->nlmsg_flags & NLM_F_DUMP) == NLM_F_DUMP) {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 55d2013..7a70a5a 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2362,8 +2362,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
link = &xfrm_dispatch[type];
/* All operations require privileges, even GET */
- if (!netlink_net_capable(skb, CAP_NET_ADMIN) &&
- !netlink_net_capable(skb, CAP_VE_NET_ADMIN))
+ if (!netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
--
1.7.1
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
