Commit 2abe0523 authored by Michael Weiß's avatar Michael Weiß Committed by David S. Miller
Browse files

l2tp: Allow management of tunnels and session in user namespace 



Creation and management of L2TPv3 tunnels and session through netlink
requires CAP_NET_ADMIN. However, a process with CAP_NET_ADMIN in a
non-initial user namespace gets an EPERM due to the use of the
genetlink GENL_ADMIN_PERM flag. Thus, management of L2TP VPNs inside
an unprivileged container won't work.

We replaced the GENL_ADMIN_PERM by the GENL_UNS_ADMIN_PERM flag
similar to other network modules which also had this problem, e.g.,
openvswitch (commit 4a92602a "openvswitch: allow management from
inside user namespaces") and nl80211 (commit 5617c6cd "nl80211:
Allow privileged operations from user namespaces").

I tested this in the container runtime trustm3 (trustm3.github.io)
and was able to create l2tp tunnels and sessions in unpriviliged
(user namespaced) containers using a private network namespace.
For other runtimes such as docker or lxc this should work, too.

Signed-off-by: default avatarMichael Weiß <michael.weiss@aisec.fraunhofer.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 48fc96b3

net/l2tp/l2tp_netlink.c

+8 −8
Original line number Diff line number Diff line
@@ -920,51 +920,51 @@ static const struct genl_ops l2tp_nl_ops[] = { 
		.cmd = L2TP_CMD_TUNNEL_CREATE,

		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,

		.doit = l2tp_nl_cmd_tunnel_create,

		.flags = GENL_ADMIN_PERM,

		.flags = GENL_UNS_ADMIN_PERM,

	},

	{

		.cmd = L2TP_CMD_TUNNEL_DELETE,

		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,

		.doit = l2tp_nl_cmd_tunnel_delete,

		.flags = GENL_ADMIN_PERM,

		.flags = GENL_UNS_ADMIN_PERM,

	},

	{

		.cmd = L2TP_CMD_TUNNEL_MODIFY,

		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,

		.doit = l2tp_nl_cmd_tunnel_modify,

		.flags = GENL_ADMIN_PERM,

		.flags = GENL_UNS_ADMIN_PERM,

	},

	{

		.cmd = L2TP_CMD_TUNNEL_GET,

		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,

		.doit = l2tp_nl_cmd_tunnel_get,

		.dumpit = l2tp_nl_cmd_tunnel_dump,

		.flags = GENL_ADMIN_PERM,

		.flags = GENL_UNS_ADMIN_PERM,

	},

	{

		.cmd = L2TP_CMD_SESSION_CREATE,

		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,

		.doit = l2tp_nl_cmd_session_create,

		.flags = GENL_ADMIN_PERM,

		.flags = GENL_UNS_ADMIN_PERM,

	},

	{

		.cmd = L2TP_CMD_SESSION_DELETE,

		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,

		.doit = l2tp_nl_cmd_session_delete,

		.flags = GENL_ADMIN_PERM,

		.flags = GENL_UNS_ADMIN_PERM,

	},

	{

		.cmd = L2TP_CMD_SESSION_MODIFY,

		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,

		.doit = l2tp_nl_cmd_session_modify,

		.flags = GENL_ADMIN_PERM,

		.flags = GENL_UNS_ADMIN_PERM,

	},

	{

		.cmd = L2TP_CMD_SESSION_GET,

		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,

		.doit = l2tp_nl_cmd_session_get,

		.dumpit = l2tp_nl_cmd_session_dump,

		.flags = GENL_ADMIN_PERM,

		.flags = GENL_UNS_ADMIN_PERM,

	},

};

CRA Git | Maintained and supported by SUSTech CRA and CCSE