diff options
Diffstat (limited to 'main/linux-virt-grsec/sysctl_lxc.patch')
| -rw-r--r-- | main/linux-virt-grsec/sysctl_lxc.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/main/linux-virt-grsec/sysctl_lxc.patch b/main/linux-virt-grsec/sysctl_lxc.patch new file mode 100644 index 0000000000..56279aa03f --- /dev/null +++ b/main/linux-virt-grsec/sysctl_lxc.patch @@ -0,0 +1,31 @@ +This patch allows guests to set /proc/sys/net/*/ip_forward without +needing CAP_SYS_ADMIN. + +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index 1e6dc7e..0a5638b 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -11,6 +11,7 @@ + #include <linux/namei.h> + #include <linux/mm.h> + #include <linux/module.h> ++#include <linux/nsproxy.h> + #include "internal.h" + + extern int gr_handle_chroot_sysctl(const int op); +@@ -521,8 +522,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, + dput(filp->f_path.dentry); + if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op)) + goto out; +- if (write && !capable(CAP_SYS_ADMIN)) +- goto out; ++ if (write) { ++ if (current->nsproxy->net_ns != table->extra2) { ++ if (!capable(CAP_SYS_ADMIN)) ++ goto out; ++ } else if (!nsown_capable(CAP_NET_ADMIN)) ++ goto out; ++ } + #endif + + /* careful: calling conventions are nasty here */ |