• Tycho Andersen's avatar
    openvswitch: allow management from inside user namespaces · 4a92602a
    Tycho Andersen authored
    Operations with the GENL_ADMIN_PERM flag fail permissions checks because
    this flag means we call netlink_capable, which uses the init user ns.
    
    Instead, let's introduce a new flag, GENL_UNS_ADMIN_PERM for operations
    which should be allowed inside a user namespace.
    
    The motivation for this is to be able to run openvswitch in unprivileged
    containers. I've tested this and it seems to work, but I really have no
    idea about the security consequences of this patch, so thoughts would be
    much appreciated.
    
    v2: use the GENL_UNS_ADMIN_PERM flag instead of a check in each function
    v3: use separate ifs for UNS_ADMIN_PERM and ADMIN_PERM, instead of one
        massive one
    Reported-by: default avatarJames Page <james.page@canonical.com>
    Signed-off-by: default avatarTycho Andersen <tycho.andersen@canonical.com>
    CC: Eric Biederman <ebiederm@xmission.com>
    CC: Pravin Shelar <pshelar@ovn.org>
    CC: Justin Pettit <jpettit@nicira.com>
    CC: "David S. Miller" <davem@davemloft.net>
    Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    4a92602a
genetlink.c 26.3 KB