summaryrefslogtreecommitdiffstats
path: root/Documentation
diff options
context:
space:
mode:
authorTycho Andersen <tycho.andersen@canonical.com>2016-02-05 09:20:52 -0700
committerDavid S. Miller <davem@davemloft.net>2016-02-11 09:53:19 -0500
commit4a92602aa1cd5bbaeedbd9536ff992f7d26fe9d1 (patch)
tree0c1fc8a9c5f393a08cd34c6c02544643eaf0681d /Documentation
parent4456ed04ea44b800d691b18c14a68ec9894d2aca (diff)
downloadlinux-4a92602aa1cd5bbaeedbd9536ff992f7d26fe9d1.tar.gz
linux-4a92602aa1cd5bbaeedbd9536ff992f7d26fe9d1.tar.bz2
linux-4a92602aa1cd5bbaeedbd9536ff992f7d26fe9d1.zip
openvswitch: allow management from inside user namespaces
Operations with the GENL_ADMIN_PERM flag fail permissions checks because this flag means we call netlink_capable, which uses the init user ns. Instead, let's introduce a new flag, GENL_UNS_ADMIN_PERM for operations which should be allowed inside a user namespace. The motivation for this is to be able to run openvswitch in unprivileged containers. I've tested this and it seems to work, but I really have no idea about the security consequences of this patch, so thoughts would be much appreciated. v2: use the GENL_UNS_ADMIN_PERM flag instead of a check in each function v3: use separate ifs for UNS_ADMIN_PERM and ADMIN_PERM, instead of one massive one Reported-by: James Page <james.page@canonical.com> Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> CC: Eric Biederman <ebiederm@xmission.com> CC: Pravin Shelar <pshelar@ovn.org> CC: Justin Pettit <jpettit@nicira.com> CC: "David S. Miller" <davem@davemloft.net> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'Documentation')
0 files changed, 0 insertions, 0 deletions