On 07/08/2015 00:08, [email protected] wrote: > @@ -754,6 +764,12 @@ static int ib_nl_handle_resolve_resp(struct sk_buff *skb, > int found = 0; > int ret; > > + if (!ns_capable(sock_net(skb->sk)->user_ns, CAP_NET_ADMIN)) { > + pr_warn_ratelimited("SA netlink: invalid perm for response: > `%s'.\n", > + current->comm); > + return -EPERM; > + } > + > spin_lock_irqsave(&ib_nl_request_lock, flags); > list_for_each_entry(query, &ib_nl_request_list, list) { > /*
Maybe I'm missing something, but I thought you would want to check the capability with init_user_ns as the target, since the SA queries will affect all namespaces, not just the one that sent the response. Haggai -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
