summaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-06-14 11:31:10 +0200
committerEric W. Biederman <ebiederm@xmission.com>2012-11-19 07:46:23 +0100
commit038e7332b8d4c0629a2965e3ede1a92e8e427bd6 (patch)
tree3c449f3ea38036322da200533a75f8835191ed68 /kernel
parentnetns: Deduplicate and fix copy_net_ns when !CONFIG_NET_NS (diff)
downloadlinux-038e7332b8d4c0629a2965e3ede1a92e8e427bd6.tar.xz
linux-038e7332b8d4c0629a2965e3ede1a92e8e427bd6.zip
userns: make each net (net_ns) belong to a user_ns
The user namespace which creates a new network namespace owns that namespace and all resources created in it. This way we can target capability checks for privileged operations against network resources to the user_ns which created the network namespace in which the resource lives. Privilege to the user namespace which owns the network namespace, or any parent user namespace thereof, provides the same privilege to the network resource. This patch is reworked from a version originally by Serge E. Hallyn <serge.hallyn@canonical.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/nsproxy.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index b576f7f14bc6..7e1c3de1ce45 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -90,7 +90,7 @@ static struct nsproxy *create_new_namespaces(unsigned long flags,
goto out_pid;
}
- new_nsp->net_ns = copy_net_ns(flags, tsk->nsproxy->net_ns);
+ new_nsp->net_ns = copy_net_ns(flags, task_cred_xxx(tsk, user_ns), tsk->nsproxy->net_ns);
if (IS_ERR(new_nsp->net_ns)) {
err = PTR_ERR(new_nsp->net_ns);
goto out_net;