• Eric W. Biederman's avatar
    net: Allow userns root control of the core of the network stack. · 5e1fccc0
    Eric W. Biederman authored
    Allow an unpriviled user who has created a user namespace, and then
    created a network namespace to effectively use the new network
    namespace, by reducing capable(CAP_NET_ADMIN) and
    capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
    CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.
    
    Settings that merely control a single network device are allowed.
    Either the network device is a logical network device where
    restrictions make no difference or the network device is hardware NIC
    that has been explicity moved from the initial network namespace.
    
    In general policy and network stack state changes are allowed
    while resource control is left unchanged.
    
    Allow ethtool ioctls.
    
    Allow binding to network devices.
    Allow setting the socket mark.
    Allow setting the socket priority.
    
    Allow setting the network device alias via sysfs.
    Allow setting the mtu via sysfs.
    Allow changing the network device flags via sysfs.
    Allow setting the network device group via sysfs.
    
    Allow the following network device ioctls.
    SIOCGMIIPHY
    SIOCGMIIREG
    SIOCSIFNAME
    SIOCSIFFLAGS
    SIOCSIFMETRIC
    SIOCSIFMTU
    SIOCSIFHWADDR
    SIOCSIFSLAVE
    SIOCADDMULTI
    SIOCDELMULTI
    SIOCSIFHWBROADCAST
    SIOCSMIIREG
    SIOCBONDENSLAVE
    SIOCBONDRELEASE
    SIOCBONDSETHWADDR
    SIOCBONDCHANGEACTIVE
    SIOCBRADDIF
    SIOCBRDELIF
    SIOCSHWTSTAMP
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    5e1fccc0
sock.c 69.5 KB