From: Konstantin Khorenko <khore...@virtuozzo.com> We want to allow a few operations in VE. Currently we use nsown_capable, but it's wrong, because in this case we allow these operations in any user namespace.
v2: take ve0->cred if the currect ve isn't running https://jira.sw.ru/browse/PSBM-39077 Signed-off-by: Andrew Vagin <ava...@virtuozzo.com> https://jira.sw.ru/browse/PSBM-133986 (cherry picked from commit 995390f5a1b3a377d27c59a28e0c5c613d01fc46) Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com> --- net/ipv6/sit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 9344ba77d0df..bf12540bbd6a 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -326,7 +326,7 @@ static int ipip6_tunnel_get_prl(struct net_device *dev, struct ifreq *ifr) /* For simple GET or for root users, * we try harder to allocate. */ - kp = (cmax <= 1 || capable(CAP_NET_ADMIN)) ? + kp = (cmax <= 1 || ve_capable(CAP_NET_ADMIN)) ? kcalloc(cmax, sizeof(*kp), GFP_KERNEL | __GFP_NOWARN) : NULL; -- 2.31.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel