openvswitch: allow management from inside user namespaces (4a92602a) · Commits · 戴 / test

include/uapi/linux/genetlink.h

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -21,6 +21,7 @@ struct genlmsghdr {
	#define GENL_CMD_CAP_DO 0x02		#define GENL_CMD_CAP_DO 0x02
	#define GENL_CMD_CAP_DUMP 0x04		#define GENL_CMD_CAP_DUMP 0x04
	#define GENL_CMD_CAP_HASPOL 0x08		#define GENL_CMD_CAP_HASPOL 0x08
			#define GENL_UNS_ADMIN_PERM 0x10

	/*		/*
	* List of reserved static generic netlink identifiers:		* List of reserved static generic netlink identifiers:

net/netlink/genetlink.c

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -580,6 +580,10 @@ static int genl_family_rcv_msg(struct genl_family *family,
	!netlink_capable(skb, CAP_NET_ADMIN))		!netlink_capable(skb, CAP_NET_ADMIN))
	return -EPERM;		return -EPERM;

			if ((ops->flags & GENL_UNS_ADMIN_PERM) &&
			!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN))
			return -EPERM;

	if ((nlh->nlmsg_flags & NLM_F_DUMP) == NLM_F_DUMP) {		if ((nlh->nlmsg_flags & NLM_F_DUMP) == NLM_F_DUMP) {
	int rc;		int rc;

net/openvswitch/datapath.c

+10 −10

Original line number	Original line	Diff line number	Diff line
	@@ -654,7 +654,7 @@ static const struct nla_policy packet_policy[OVS_PACKET_ATTR_MAX + 1] = {

	static const struct genl_ops dp_packet_genl_ops[] = {		static const struct genl_ops dp_packet_genl_ops[] = {
	{ .cmd = OVS_PACKET_CMD_EXECUTE,		{ .cmd = OVS_PACKET_CMD_EXECUTE,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = packet_policy,		.policy = packet_policy,
	.doit = ovs_packet_cmd_execute		.doit = ovs_packet_cmd_execute
	}		}
	@@ -1391,12 +1391,12 @@ static const struct nla_policy flow_policy[OVS_FLOW_ATTR_MAX + 1] = {

	static const struct genl_ops dp_flow_genl_ops[] = {		static const struct genl_ops dp_flow_genl_ops[] = {
	{ .cmd = OVS_FLOW_CMD_NEW,		{ .cmd = OVS_FLOW_CMD_NEW,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = flow_policy,		.policy = flow_policy,
	.doit = ovs_flow_cmd_new		.doit = ovs_flow_cmd_new
	},		},
	{ .cmd = OVS_FLOW_CMD_DEL,		{ .cmd = OVS_FLOW_CMD_DEL,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = flow_policy,		.policy = flow_policy,
	.doit = ovs_flow_cmd_del		.doit = ovs_flow_cmd_del
	},		},
	@@ -1407,7 +1407,7 @@ static const struct genl_ops dp_flow_genl_ops[] = {
	.dumpit = ovs_flow_cmd_dump		.dumpit = ovs_flow_cmd_dump
	},		},
	{ .cmd = OVS_FLOW_CMD_SET,		{ .cmd = OVS_FLOW_CMD_SET,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = flow_policy,		.policy = flow_policy,
	.doit = ovs_flow_cmd_set,		.doit = ovs_flow_cmd_set,
	},		},
	@@ -1777,12 +1777,12 @@ static const struct nla_policy datapath_policy[OVS_DP_ATTR_MAX + 1] = {

	static const struct genl_ops dp_datapath_genl_ops[] = {		static const struct genl_ops dp_datapath_genl_ops[] = {
	{ .cmd = OVS_DP_CMD_NEW,		{ .cmd = OVS_DP_CMD_NEW,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = datapath_policy,		.policy = datapath_policy,
	.doit = ovs_dp_cmd_new		.doit = ovs_dp_cmd_new
	},		},
	{ .cmd = OVS_DP_CMD_DEL,		{ .cmd = OVS_DP_CMD_DEL,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = datapath_policy,		.policy = datapath_policy,
	.doit = ovs_dp_cmd_del		.doit = ovs_dp_cmd_del
	},		},
	@@ -1793,7 +1793,7 @@ static const struct genl_ops dp_datapath_genl_ops[] = {
	.dumpit = ovs_dp_cmd_dump		.dumpit = ovs_dp_cmd_dump
	},		},
	{ .cmd = OVS_DP_CMD_SET,		{ .cmd = OVS_DP_CMD_SET,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = datapath_policy,		.policy = datapath_policy,
	.doit = ovs_dp_cmd_set,		.doit = ovs_dp_cmd_set,
	},		},
	@@ -2158,12 +2158,12 @@ static const struct nla_policy vport_policy[OVS_VPORT_ATTR_MAX + 1] = {

	static const struct genl_ops dp_vport_genl_ops[] = {		static const struct genl_ops dp_vport_genl_ops[] = {
	{ .cmd = OVS_VPORT_CMD_NEW,		{ .cmd = OVS_VPORT_CMD_NEW,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = vport_policy,		.policy = vport_policy,
	.doit = ovs_vport_cmd_new		.doit = ovs_vport_cmd_new
	},		},
	{ .cmd = OVS_VPORT_CMD_DEL,		{ .cmd = OVS_VPORT_CMD_DEL,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = vport_policy,		.policy = vport_policy,
	.doit = ovs_vport_cmd_del		.doit = ovs_vport_cmd_del
	},		},
	@@ -2174,7 +2174,7 @@ static const struct genl_ops dp_vport_genl_ops[] = {
	.dumpit = ovs_vport_cmd_dump		.dumpit = ovs_vport_cmd_dump
	},		},
	{ .cmd = OVS_VPORT_CMD_SET,		{ .cmd = OVS_VPORT_CMD_SET,
	.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */
	.policy = vport_policy,		.policy = vport_policy,
	.doit = ovs_vport_cmd_set,		.doit = ovs_vport_cmd_set,
	},		},

Admin message