diff options
Diffstat (limited to 'main/linux-grsec/sysctl_lxc.patch')
-rw-r--r-- | main/linux-grsec/sysctl_lxc.patch | 31 |
1 files changed, 0 insertions, 31 deletions
diff --git a/main/linux-grsec/sysctl_lxc.patch b/main/linux-grsec/sysctl_lxc.patch deleted file mode 100644 index 56279aa03..000000000 --- a/main/linux-grsec/sysctl_lxc.patch +++ /dev/null @@ -1,31 +0,0 @@ -This patch allows guests to set /proc/sys/net/*/ip_forward without -needing CAP_SYS_ADMIN. - -diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c -index 1e6dc7e..0a5638b 100644 ---- a/fs/proc/proc_sysctl.c -+++ b/fs/proc/proc_sysctl.c -@@ -11,6 +11,7 @@ - #include <linux/namei.h> - #include <linux/mm.h> - #include <linux/module.h> -+#include <linux/nsproxy.h> - #include "internal.h" - - extern int gr_handle_chroot_sysctl(const int op); -@@ -521,8 +522,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, - dput(filp->f_path.dentry); - if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op)) - goto out; -- if (write && !capable(CAP_SYS_ADMIN)) -- goto out; -+ if (write) { -+ if (current->nsproxy->net_ns != table->extra2) { -+ if (!capable(CAP_SYS_ADMIN)) -+ goto out; -+ } else if (!nsown_capable(CAP_NET_ADMIN)) -+ goto out; -+ } - #endif - - /* careful: calling conventions are nasty here */ |