[Devel,RH7] ve: restrict ethtool to VE root userns and prohibit EEPROM change

Submitted by Pavel Tikhomirov on March 2, 2017, 7:11 a.m.

Details

Message ID 20170302071111.12124-1-ptikhomirov@virtuozzo.com
State New
Series "ve: restrict ethtool to VE root userns and prohibit EEPROM change"
Headers show

Commit Message

Pavel Tikhomirov March 2, 2017, 7:11 a.m.
When we switched to using userns we lost these restriction. According
to https://jira.sw.ru/browse/PSBM-36290 if we modify EEPROM, we can
modify nic's firmware.

https://jira.sw.ru/browse/PSBM-52504
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 net/core/ethtool.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 6302e8e..d1b6354 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -2398,10 +2398,10 @@  int dev_ethtool(struct net *net, struct ifreq *ifr)
 	case ETHTOOL_GTUNABLE:
 		break;
 	case ETHTOOL_SEEPROM:
-		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+		if (!capable(CAP_NET_ADMIN))
 			return -EPERM;
 	default:
-		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+		if (!ve_capable(CAP_NET_ADMIN))
 			return -EPERM;
 	}