diff options
| author | Michael Weiß <michael.weiss@aisec.fraunhofer.de> | 2022-09-23 15:38:20 +0200 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2022-09-27 11:31:36 +0200 |
| commit | 59cd7377660a76780bfdd9fd26da058bcca5320d (patch) | |
| tree | 30e1132a7877b5b0ba315cdfb4c16f5edc54ecf0 /net/openvswitch | |
| parent | 8039371847174ff37dc3d02e83cd789dbb6140b0 (diff) | |
| download | linux-59cd7377660a76780bfdd9fd26da058bcca5320d.tar.bz2 | |
net: openvswitch: allow conntrack in non-initial user namespace
Similar to the previous commit, the Netlink interface of the OVS
conntrack module was restricted to global CAP_NET_ADMIN by using
GENL_ADMIN_PERM. This is changed to GENL_UNS_ADMIN_PERM to support
unprivileged containers in non-initial user namespace.
Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'net/openvswitch')
| -rw-r--r-- | net/openvswitch/conntrack.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 48e8f5c29b67..cb255d8ed99a 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1982,7 +1982,8 @@ static int ovs_ct_limit_set_zone_limit(struct nlattr *nla_zone_limit, } else { struct ovs_ct_limit *ct_limit; - ct_limit = kmalloc(sizeof(*ct_limit), GFP_KERNEL); + ct_limit = kmalloc(sizeof(*ct_limit), + GFP_KERNEL_ACCOUNT); if (!ct_limit) return -ENOMEM; @@ -2252,14 +2253,16 @@ exit_err: static const struct genl_small_ops ct_limit_genl_ops[] = { { .cmd = OVS_CT_LIMIT_CMD_SET, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_ct_limit_cmd_set, }, { .cmd = OVS_CT_LIMIT_CMD_DEL, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_ct_limit_cmd_del, }, { .cmd = OVS_CT_LIMIT_CMD_GET, |