[PATCH] RDMA/uverbs: Fix CAP_NET_RAW check for flow create in user namespace
Serge E. Hallyn
serge at hallyn.com
Mon Mar 10 21:46:50 UTC 2025
On Mon, Mar 10, 2025 at 02:47:53PM +0000, Parav Pandit wrote:
> Hi,
>
> > From: Serge E. Hallyn <serge at hallyn.com>
> > Sent: Monday, March 10, 2025 7:01 PM
> >
> > On Sat, Mar 08, 2025 at 08:06:02PM +0200, Parav Pandit wrote:
> > > A process running in a non-init user namespace possesses the
> > > CAP_NET_RAW capability. However, the patch cited in the fixes tag
> > > checks the capability in the default init user namespace.
> > > Because of this, when the process was started by Podman in a
> > > non-default user namespace, the flow creation failed.
> > >
> > > Fix this issue by checking the CAP_NET_RAW networking capability in
> > > the owner user namespace that created the network namespace.
> >
> > Hi,
> >
> > you say
> >
> > > Fix this issue by checking the CAP_NET_RAW networking capability > in the
> > owner user namespace that created the network namespace.
> >
> > But in fact you are checking the CAP_NET_RAW against the user's network
> > namespace.
> I didn't understand your comment.
> The fix takes the current process's network namespace by referring to current->nsproxy->net_ns.
> Each net ns has its owning user namespace who has created it.
> So the patch is checking caps in the such user namespace.
>
> Can you please elaborate?
It looks like it got straightened out later with Eric's reply. Please
let me know if that's not the case.
-serge
More information about the Linux-security-module-archive
mailing list