summaryrefslogtreecommitdiffstats
path: root/main/linux-virt-grsec/sysctl_lxc.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/linux-virt-grsec/sysctl_lxc.patch')
-rw-r--r--main/linux-virt-grsec/sysctl_lxc.patch31
1 files changed, 31 insertions, 0 deletions
diff --git a/main/linux-virt-grsec/sysctl_lxc.patch b/main/linux-virt-grsec/sysctl_lxc.patch
new file mode 100644
index 000000000..56279aa03
--- /dev/null
+++ b/main/linux-virt-grsec/sysctl_lxc.patch
@@ -0,0 +1,31 @@
+This patch allows guests to set /proc/sys/net/*/ip_forward without
+needing CAP_SYS_ADMIN.
+
+diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
+index 1e6dc7e..0a5638b 100644
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -11,6 +11,7 @@
+ #include <linux/namei.h>
+ #include <linux/mm.h>
+ #include <linux/module.h>
++#include <linux/nsproxy.h>
+ #include "internal.h"
+
+ extern int gr_handle_chroot_sysctl(const int op);
+@@ -521,8 +522,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+ dput(filp->f_path.dentry);
+ if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
+ goto out;
+- if (write && !capable(CAP_SYS_ADMIN))
+- goto out;
++ if (write) {
++ if (current->nsproxy->net_ns != table->extra2) {
++ if (!capable(CAP_SYS_ADMIN))
++ goto out;
++ } else if (!nsown_capable(CAP_NET_ADMIN))
++ goto out;
++ }
+ #endif
+
+ /* careful: calling conventions are nasty here */
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-01 03:56:30 +0000