|
|
@@ -41,11 +41,21 @@ static int is_seen(struct ctl_table_set *set)
|
|
|
static int net_ctl_permissions(struct ctl_table_header *head,
|
|
|
struct ctl_table *table)
|
|
|
{
|
|
|
+ struct net *net = container_of(head->set, struct net, sysctls);
|
|
|
+ kuid_t root_uid = make_kuid(net->user_ns, 0);
|
|
|
+ kgid_t root_gid = make_kgid(net->user_ns, 0);
|
|
|
+
|
|
|
/* Allow network administrator to have same access as root. */
|
|
|
- if (capable(CAP_NET_ADMIN)) {
|
|
|
+ if (ns_capable(net->user_ns, CAP_NET_ADMIN) ||
|
|
|
+ uid_eq(root_uid, current_uid())) {
|
|
|
int mode = (table->mode >> 6) & 7;
|
|
|
return (mode << 6) | (mode << 3) | mode;
|
|
|
}
|
|
|
+ /* Allow netns root group to have the same assess as the root group */
|
|
|
+ if (gid_eq(root_gid, current_gid())) {
|
|
|
+ int mode = (table->mode >> 3) & 7;
|
|
|
+ return (mode << 3) | (mode << 3) | mode;
|
|
|
+ }
|
|
|
return table->mode;
|
|
|
}
|
|
|
|
Eric W. Biederman