I've verified that the proposed fix in comment #8 does work. I'll need to look at other ns_capable() call sites and get upstream's opinion before I can be confident in its correctness. Here's the raw patch:
diff --git a/net/sysctl_net.c b/net/sysctl_net.c index e7000be..77e6bbf 100644 --- a/net/sysctl_net.c +++ b/net/sysctl_net.c @@ -46,8 +46,8 @@ static int net_ctl_permissions(struct ctl_table_header *head, kgid_t root_gid = make_kgid(net->user_ns, 0);
/* Allow network administrator to have same access as root. */ - if (ns_capable(net->user_ns, CAP_NET_ADMIN) || - uid_eq(root_uid, current_euid())) { + if (uid_eq(root_uid, current_euid()) || + ns_capable(net->user_ns, CAP_NET_ADMIN)) { int mode = (table->mode >> 6) & 7; return (mode << 6) | (mode << 3) | mode; }
I've verified that the proposed fix in comment #8 does work. I'll need to look at other ns_capable() call sites and get upstream's opinion before I can be confident in its correctness. Here's the raw patch:
diff --git a/net/sysctl_net.c b/net/sysctl_net.c permissions( struct ctl_table_header *head, net->user_ ns, 0);
index e7000be..77e6bbf 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -46,8 +46,8 @@ static int net_ctl_
kgid_t root_gid = make_kgid(
/* Allow network administrator to have same access as root. */ net->user_ ns, CAP_NET_ADMIN) || net->user_ ns, CAP_NET_ADMIN)) {
- if (ns_capable(
- uid_eq(root_uid, current_euid())) {
+ if (uid_eq(root_uid, current_euid()) ||
+ ns_capable(
int mode = (table->mode >> 6) & 7;
return (mode << 6) | (mode << 3) | mode;
}