[criu] net: execute iptables-restore in a target network namespace

Submitted by Andrei Vagin on Oct. 19, 2017, 5:44 a.m.

Details

Message ID 20171019054435.30027-1-avagin@openvz.org
State New
Series "net: execute iptables-restore in a target network namespace"
Headers show

Commit Message

Andrei Vagin Oct. 19, 2017, 5:44 a.m.
otherwise the kernel can return an error, one of these checks
is in xt_owner.c:owner_check():
...
        if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
            (current_user_ns() != net->user_ns))
                return -EINVAL;
...

https://jira.sw.ru/browse/PSBM-75531
---
 criu/net.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/criu/net.c b/criu/net.c
index b90a730..e3f083b 100644
--- a/criu/net.c
+++ b/criu/net.c
@@ -1807,7 +1807,12 @@  static int do_iptables_restore(bool ipv6, char *buf, int size)
 	}
 	close_safe(&pfd[1]);
 
-	ret = cr_system(pfd[0], -1, -1, cmd[0], cmd, 0);
+	/*
+	 * iptables-restore has to be executed in a network userns,
+	 * otherwise the kernel can return an error. One of these checks
+	 * is in xt_owner.c:owner_check().
+	 */
+	ret = cr_system_userns(pfd[0], -1, -1, cmd[0], cmd, 0, root_item->pid->real);
 err:
 	close_safe(&pfd[1]);
 	close_safe(&pfd[0]);