summaryrefslogtreecommitdiffstats
path: root/main/linux-grsec/sysctl_lxc.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/linux-grsec/sysctl_lxc.patch')
-rw-r--r--main/linux-grsec/sysctl_lxc.patch31
1 files changed, 0 insertions, 31 deletions
diff --git a/main/linux-grsec/sysctl_lxc.patch b/main/linux-grsec/sysctl_lxc.patch
deleted file mode 100644
index 56279aa03..000000000
--- a/main/linux-grsec/sysctl_lxc.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-This patch allows guests to set /proc/sys/net/*/ip_forward without
-needing CAP_SYS_ADMIN.
-
-diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
-index 1e6dc7e..0a5638b 100644
---- a/fs/proc/proc_sysctl.c
-+++ b/fs/proc/proc_sysctl.c
-@@ -11,6 +11,7 @@
- #include <linux/namei.h>
- #include <linux/mm.h>
- #include <linux/module.h>
-+#include <linux/nsproxy.h>
- #include "internal.h"
-
- extern int gr_handle_chroot_sysctl(const int op);
-@@ -521,8 +522,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
- dput(filp->f_path.dentry);
- if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
- goto out;
-- if (write && !capable(CAP_SYS_ADMIN))
-- goto out;
-+ if (write) {
-+ if (current->nsproxy->net_ns != table->extra2) {
-+ if (!capable(CAP_SYS_ADMIN))
-+ goto out;
-+ } else if (!nsown_capable(CAP_NET_ADMIN))
-+ goto out;
-+ }
- #endif
-
- /* careful: calling conventions are nasty here */
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 13:05:52 +0000