git.baikalelectronics.ru Git - kernel.git/commit

author	Eric W. Biederman <ebiederm@xmission.com>
	Fri, 16 Nov 2012 03:03:07 +0000 (03:03 +0000)
committer	David S. Miller <davem@davemloft.net>
	Mon, 19 Nov 2012 01:32:45 +0000 (20:32 -0500)
commit	01c063c57e467f1c742d3b61907214406ea2da8f
tree	800fd831c5beb1c4ec00b41d270462d52973a425	tree \| snapshot
parent	8239fd2e058e6ee27ddf07c51f26c1f046e39248	commit \| diff

net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm

Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.

Allow creation of af_key sockets.
Allow creation of llc sockets.
Allow creation of af_packet sockets.

Allow sending xfrm netlink control messages.

Allow binding to netlink multicast groups.
Allow sending to netlink multicast groups.
Allow adding and dropping netlink multicast groups.
Allow sending to all netlink multicast groups and port ids.

Allow reading the netfilter SO_IP_SET socket option.
Allow sending netfilter netlink messages.
Allow setting and getting ip_vs netfilter socket options.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/key/af_key.c		diff \| blob \| history
net/llc/af_llc.c		diff \| blob \| history
net/netfilter/ipset/ip_set_core.c		diff \| blob \| history
net/netfilter/ipvs/ip_vs_ctl.c		diff \| blob \| history
net/netfilter/nfnetlink.c		diff \| blob \| history
net/netlink/af_netlink.c		diff \| blob \| history
net/packet/af_packet.c		diff \| blob \| history
net/xfrm/xfrm_user.c		diff \| blob \| history