diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2012-06-14 11:31:10 +0200 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-11-19 07:46:23 +0100 |
commit | 038e7332b8d4c0629a2965e3ede1a92e8e427bd6 (patch) | |
tree | 3c449f3ea38036322da200533a75f8835191ed68 /kernel | |
parent | netns: Deduplicate and fix copy_net_ns when !CONFIG_NET_NS (diff) | |
download | linux-038e7332b8d4c0629a2965e3ede1a92e8e427bd6.tar.xz linux-038e7332b8d4c0629a2965e3ede1a92e8e427bd6.zip |
userns: make each net (net_ns) belong to a user_ns
The user namespace which creates a new network namespace owns that
namespace and all resources created in it. This way we can target
capability checks for privileged operations against network resources to
the user_ns which created the network namespace in which the resource
lives. Privilege to the user namespace which owns the network
namespace, or any parent user namespace thereof, provides the same
privilege to the network resource.
This patch is reworked from a version originally by
Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/nsproxy.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index b576f7f14bc6..7e1c3de1ce45 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -90,7 +90,7 @@ static struct nsproxy *create_new_namespaces(unsigned long flags, goto out_pid; } - new_nsp->net_ns = copy_net_ns(flags, tsk->nsproxy->net_ns); + new_nsp->net_ns = copy_net_ns(flags, task_cred_xxx(tsk, user_ns), tsk->nsproxy->net_ns); if (IS_ERR(new_nsp->net_ns)) { err = PTR_ERR(new_nsp->net_ns); goto out_net; |