blob: 56279aa03ff8eb592c08773778f97cd56e7ee4ef (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
This patch allows guests to set /proc/sys/net/*/ip_forward without
needing CAP_SYS_ADMIN.
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 1e6dc7e..0a5638b 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -11,6 +11,7 @@
#include <linux/namei.h>
#include <linux/mm.h>
#include <linux/module.h>
+#include <linux/nsproxy.h>
#include "internal.h"
extern int gr_handle_chroot_sysctl(const int op);
@@ -521,8 +522,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
dput(filp->f_path.dentry);
if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
goto out;
- if (write && !capable(CAP_SYS_ADMIN))
- goto out;
+ if (write) {
+ if (current->nsproxy->net_ns != table->extra2) {
+ if (!capable(CAP_SYS_ADMIN))
+ goto out;
+ } else if (!nsown_capable(CAP_NET_ADMIN))
+ goto out;
+ }
#endif
/* careful: calling conventions are nasty here */
|