1
linux/net/core
Eric W. Biederman 5e1fccc0bf net: Allow userns root control of the core of the network stack.
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.

Settings that merely control a single network device are allowed.
Either the network device is a logical network device where
restrictions make no difference or the network device is hardware NIC
that has been explicity moved from the initial network namespace.

In general policy and network stack state changes are allowed
while resource control is left unchanged.

Allow ethtool ioctls.

Allow binding to network devices.
Allow setting the socket mark.
Allow setting the socket priority.

Allow setting the network device alias via sysfs.
Allow setting the mtu via sysfs.
Allow changing the network device flags via sysfs.
Allow setting the network device group via sysfs.

Allow the following network device ioctls.
SIOCGMIIPHY
SIOCGMIIREG
SIOCSIFNAME
SIOCSIFFLAGS
SIOCSIFMETRIC
SIOCSIFMTU
SIOCSIFHWADDR
SIOCSIFSLAVE
SIOCADDMULTI
SIOCDELMULTI
SIOCSIFHWBROADCAST
SIOCSMIIREG
SIOCBONDENSLAVE
SIOCBONDRELEASE
SIOCBONDSETHWADDR
SIOCBONDCHANGEACTIVE
SIOCBRADDIF
SIOCBRDELIF
SIOCSHWTSTAMP

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-11-18 20:32:45 -05:00
..
datagram.c net: skb_free_datagram_locked() doesnt drop all packets 2012-06-27 15:40:57 -07:00
dev_addr_lists.c net: correct check in dev_addr_del() 2012-11-15 17:57:53 -05:00
dev.c net: Allow userns root control of the core of the network stack. 2012-11-18 20:32:45 -05:00
drop_monitor.c drop_monitor: dont sleep in atomic context 2012-06-04 11:42:01 -04:00
dst.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-10-02 13:38:27 -07:00
ethtool.c net: Allow userns root control of the core of the network stack. 2012-11-18 20:32:45 -05:00
fib_rules.c net: Push capable(CAP_NET_ADMIN) into the rtnl methods 2012-11-18 20:32:44 -05:00
filter.c sk-filter: Add ability to get socket filter program (v2) 2012-11-01 11:17:15 -04:00
flow_dissector.c ipv6: add ipv6_addr_hash() helper 2012-07-18 11:28:46 -07:00
flow.c net: Add a flow_cache_flush_deferred function 2011-12-21 16:48:08 -05:00
gen_estimator.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
gen_stats.c gen_stats: Stop using NLA_PUT*(). 2012-04-02 04:33:44 -04:00
iovec.c net: get rid of some pointless casts to sockaddr 2012-03-11 19:11:22 -07:00
link_watch.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-10-02 13:38:27 -07:00
Makefile sock_diag: Move the sock_ code to net/core/ 2011-12-06 13:58:02 -05:00
neighbour.c net: Push capable(CAP_NET_ADMIN) into the rtnl methods 2012-11-18 20:32:44 -05:00
net_namespace.c userns: make each net (net_ns) belong to a user_ns 2012-11-18 20:30:55 -05:00
net-sysfs.c net: Allow userns root control of the core of the network stack. 2012-11-18 20:32:45 -05:00
net-sysfs.h
net-traces.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
netevent.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
netpoll.c netpoll: call ->ndo_select_queue() in tx path 2012-09-19 17:19:09 -04:00
netprio_cgroup.c cgroup: net_prio: Mark local used function static 2012-10-26 03:40:50 -04:00
pktgen.c pktgen: clean up ktime_t helpers 2012-11-03 14:50:15 -04:00
request_sock.c tcp: TCP Fast Open Server - support TFO listeners 2012-08-31 20:02:19 -04:00
rtnetlink.c net: Push capable(CAP_NET_ADMIN) into the rtnl methods 2012-11-18 20:32:44 -05:00
scm.c net: Allow userns root to force the scm creds 2012-11-18 20:32:45 -05:00
secure_seq.c netfilter: ipv6: add IPv6 NAT support 2012-08-30 03:00:17 +02:00
skbuff.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-11-10 18:32:51 -05:00
sock_diag.c netlink: hide struct module parameter in netlink_kernel_create 2012-09-08 18:46:30 -04:00
sock.c net: Allow userns root control of the core of the network stack. 2012-11-18 20:32:45 -05:00
stream.c
sysctl_net_core.c net: Don't export sysctls to unprivileged users 2012-11-18 20:30:55 -05:00
timestamping.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
user_dma.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
utils.c net: add doc for in4_pton() 2012-10-12 13:56:52 -04:00