The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.8.x-ovz" and will appear
at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.6.8
------>
commit ddcb719bd3e3ea79056bcc74db038c3c5d0e10a1
Author: Andrew Vagin <ava...@openvz.org>
Date: Tue Sep 8 12:50:24 2015 +0400
Revert "ve/net: allow containers create bridges with CAP_VE_NET_ADMIN"
This reverts commit 52b6df12cf62fc92edadcec3860f6418d4d8333e.
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <ava...@virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavy...@virtuozzo.com>
---
net/bridge/br_ioctl.c | 33 +++++++++++----------------------
net/core/dev_ioctl.c | 8 ++++----
2 files changed, 15 insertions(+), 26 deletions(-)
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 45c4c22..98447b8 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -89,8 +89,7 @@ static int add_del_if(struct net_bridge *br, int ifindex, int
isadd)
struct net_device *dev;
int ret;
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
dev = __dev_get_by_index(net, ifindex);
@@ -180,29 +179,25 @@ static int old_dev_ioctl(struct net_device *dev, struct
ifreq *rq, int cmd)
}
case BRCTL_SET_BRIDGE_FORWARD_DELAY:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
return br_set_forward_delay(br, args[1]);
case BRCTL_SET_BRIDGE_HELLO_TIME:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
return br_set_hello_time(br, args[1]);
case BRCTL_SET_BRIDGE_MAX_AGE:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
return br_set_max_age(br, args[1]);
case BRCTL_SET_AGEING_TIME:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
br->ageing_time = clock_t_to_jiffies(args[1]);
@@ -242,16 +237,14 @@ static int old_dev_ioctl(struct net_device *dev, struct
ifreq *rq, int cmd)
}
case BRCTL_SET_BRIDGE_STP_STATE:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
br_stp_set_enabled(br, args[1]);
return 0;
case BRCTL_SET_BRIDGE_PRIORITY:
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
spin_lock_bh(&br->lock);
@@ -264,8 +257,7 @@ static int old_dev_ioctl(struct net_device *dev, struct
ifreq *rq, int cmd)
struct net_bridge_port *p;
int ret;
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
spin_lock_bh(&br->lock);
@@ -282,8 +274,7 @@ static int old_dev_ioctl(struct net_device *dev, struct
ifreq *rq, int cmd)
struct net_bridge_port *p;
int ret;
- if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(dev_net(dev)->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM;
spin_lock_bh(&br->lock);
@@ -340,8 +331,7 @@ static int old_deviceless(struct net *net, void __user
*uarg)
{
char buf[IFNAMSIZ];
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(buf, (void __user *)args[1], IFNAMSIZ))
@@ -374,8 +364,7 @@ int br_ioctl_deviceless_stub(struct net *net, unsigned int
cmd, void __user *uar
{
char buf[IFNAMSIZ];
- if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
- !ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
if (copy_from_user(buf, uarg, IFNAMSIZ))
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index 021681b..77df687 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -502,13 +502,9 @@ int dev_ioctl(struct net *net, unsigned int cmd, void
__user *arg)
* - do not return a value
*/
case SIOCSIFMAP:
- case SIOCSIFSLAVE:
case SIOCSIFMTU:
case SIOCSIFHWADDR:
case SIOCSIFFLAGS:
- case SIOCSIFMETRIC:
- case SIOCBRADDIF:
- case SIOCBRDELIF:
if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
!ns_capable(net->user_ns, CAP_VE_NET_ADMIN))
return -EPERM;
@@ -518,6 +514,8 @@ int dev_ioctl(struct net *net, unsigned int cmd, void
__user *arg)
rtnl_unlock();
return ret;
+ case SIOCSIFMETRIC:
+ case SIOCSIFSLAVE:
case SIOCADDMULTI:
case SIOCDELMULTI:
case SIOCSIFHWBROADCAST:
@@ -526,6 +524,8 @@ int dev_ioctl(struct net *net, unsigned int cmd, void
__user *arg)
case SIOCBONDRELEASE:
case SIOCBONDSETHWADDR:
case SIOCBONDCHANGEACTIVE:
+ case SIOCBRADDIF:
+ case SIOCBRDELIF:
case SIOCSHWTSTAMP:
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
