[Devel] netfilter: allow adding matches from the container initial user namespace

Submitted by Stanislav Kinsburskiy on June 5, 2017, 6:05 p.m.

Details

Message ID 20170605180523.25364.25395.stgit@localhost.localdomain
State New
Series "netfilter: allow adding matches from the container initial user namespace"
Headers show

Commit Message

Stanislav Kinsburskiy June 5, 2017, 6:05 p.m.
https://jira.sw.ru/browse/PSBM-43609

Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
---
 net/netfilter/xt_owner.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 79558fe..942cce1 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -83,7 +83,7 @@  static int owner_check(const struct xt_mtchk_param *par)
 
 	/* For now only allow adding matches from the initial user namespace */
 	if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
-	    (current_user_ns() != &init_user_ns))
+	    !current_user_ns_initial())
 		return -EINVAL;
 	return 0;
 }

Comments

Kirill Tkhai June 6, 2017, 8:47 a.m.
On 05.06.2017 21:05, Stanislav Kinsburskiy wrote:
> https://jira.sw.ru/browse/PSBM-43609
> 
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>

Acked-by: Kirill Tkhai <ktkhai@virtuozzo.com>

> ---
>  net/netfilter/xt_owner.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
> index 79558fe..942cce1 100644
> --- a/net/netfilter/xt_owner.c
> +++ b/net/netfilter/xt_owner.c
> @@ -83,7 +83,7 @@ static int owner_check(const struct xt_mtchk_param *par)
>  
>  	/* For now only allow adding matches from the initial user namespace */
>  	if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
> -	    (current_user_ns() != &init_user_ns))
> +	    !current_user_ns_initial())
>  		return -EINVAL;
>  	return 0;
>  }
>