Upstream commit:
commit 59cd7377660a76780bfdd9fd26da058bcca5320d
Author: Michael Weiß <[email protected]>
Date: Fri Sep 23 15:38:20 2022 +0200
net: openvswitch: allow conntrack in non-initial user namespace
Similar to the previous commit, the Netlink interface of the OVS
conntrack module was restricted to global CAP_NET_ADMIN by using
GENL_ADMIN_PERM. This is changed to GENL_UNS_ADMIN_PERM to support
unprivileged containers in non-initial user namespace.
Signed-off-by: Michael Weiß <[email protected]>
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: Michael Weiß <[email protected]>
---
datapath/conntrack.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/datapath/conntrack.c b/datapath/conntrack.c
index fc268aeae..98dd68225 100644
--- a/datapath/conntrack.c
+++ b/datapath/conntrack.c
@@ -2051,7 +2051,8 @@ static int ovs_ct_limit_set_zone_limit(struct nlattr
*nla_zone_limit,
} else {
struct ovs_ct_limit *ct_limit;
- ct_limit = kmalloc(sizeof(*ct_limit), GFP_KERNEL);
+ ct_limit = kmalloc(sizeof(*ct_limit),
+ GFP_KERNEL_ACCOUNT);
if (!ct_limit)
return -ENOMEM;
@@ -2327,8 +2328,9 @@ static struct genl_ops ct_limit_genl_ops[] = {
#ifdef HAVE_GENL_VALIDATE_FLAGS
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
#endif
- .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
- * privilege. */
+ .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN
+ * privilege.
+ */
#ifdef HAVE_GENL_OPS_POLICY
.policy = ct_limit_policy,
#endif
@@ -2338,8 +2340,9 @@ static struct genl_ops ct_limit_genl_ops[] = {
#ifdef HAVE_GENL_VALIDATE_FLAGS
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
#endif
- .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
- * privilege. */
+ .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN
+ * privilege.
+ */
#ifdef HAVE_GENL_OPS_POLICY
.policy = ct_limit_policy,
#endif
--
2.30.2
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
