> 在 2016年6月19日,12:13,Richard Weinberger <rich...@nod.at> 写道:
>
> Am 19.06.2016 um 07:21 schrieb Shanker Wang:
>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>> namespace the net namespace was created so that /dev/ppp cat get opened
>> in a unprivileged container.
>>
>> Cc: Hannes Frederic Sowa <han...@stressinduktion.org>
>> Cc: Richard Weinberger <richard.weinber...@gmail.com>
>> Cc: Guillaume Nault <g.na...@alphalink.fr>
>> Cc: Miao Wang <shankerwangm...@gmail.com>
>> Signed-off-by: Miao Wang <miao.w...@tuna.tsinghua.edu.cn>
>> ---
>> drivers/net/ppp/ppp_generic.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
>> index f572b31..4b3b2b5 100644
>> --- a/drivers/net/ppp/ppp_generic.c
>> +++ b/drivers/net/ppp/ppp_generic.c
>> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file
>> *file)
>> /*
>> * This could (should?) be enforced by the permissions on /dev/ppp.
>> */
>> - if (!capable(CAP_NET_ADMIN))
>> + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
>> return -EPERM;
>
> Shouldn't this be a ns_capable(net->user_ns, …?
> Otherwise an user can create a new user_ns followed by a new net_ns and has
> CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
> net_ns which belongs to the ppp net device which you want to open.
You are totally right. However, I wonder how can i get the “net” struct when
opening /dev/ppp
>
> Thanks,
> //richard
