tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'net-openvswitch-metering-and-conntrack-in-userns'

Michael Weiß says:

====================
net: openvswitch: metering and conntrack in userns

Currently using openvswitch in a non-initial user namespace, e.g., an
unprivileged container, is possible but without metering and conntrack
support. This is due to the restriction of the corresponding Netlink
interfaces to the global CAP_NET_ADMIN.

This simple patches switch from GENL_ADMIN_PERM to GENL_UNS_ADMIN_PERM
in several cases to allow this also for the unprivileged container
use case.

We tested this for unprivileged containers created by the container
manager of GyroidOS (gyroidos.github.io). However, for other container
managers such as LXC or systemd which provide unprivileged containers
this should be apply equally.
====================

Link: https://lore.kernel.org/r/20220923133820.993725-1-michael.weiss@aisec.fraunhofer.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Paolo Abeni 5591b021 6627a207

+15 -12
+8 -5
net/openvswitch/conntrack.c
··· 1982 1982 } else { 1983 1983 struct ovs_ct_limit *ct_limit; 1984 1984 1985 - ct_limit = kmalloc(sizeof(*ct_limit), GFP_KERNEL); 1985 + ct_limit = kmalloc(sizeof(*ct_limit), 1986 + GFP_KERNEL_ACCOUNT); 1986 1987 if (!ct_limit) 1987 1988 return -ENOMEM; 1988 1989 ··· 2253 2252 static const struct genl_small_ops ct_limit_genl_ops[] = { 2254 2253 { .cmd = OVS_CT_LIMIT_CMD_SET, 2255 2254 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 2256 - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN 2257 - * privilege. */ 2255 + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN 2256 + * privilege. 2257 + */ 2258 2258 .doit = ovs_ct_limit_cmd_set, 2259 2259 }, 2260 2260 { .cmd = OVS_CT_LIMIT_CMD_DEL, 2261 2261 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 2262 - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN 2263 - * privilege. */ 2262 + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN 2263 + * privilege. 2264 + */ 2264 2265 .doit = ovs_ct_limit_cmd_del, 2265 2266 }, 2266 2267 { .cmd = OVS_CT_LIMIT_CMD_GET,
+7 -7
net/openvswitch/meter.c
··· 343 343 return ERR_PTR(-EINVAL); 344 344 345 345 /* Allocate and set up the meter before locking anything. */ 346 - meter = kzalloc(struct_size(meter, bands, n_bands), GFP_KERNEL); 346 + meter = kzalloc(struct_size(meter, bands, n_bands), GFP_KERNEL_ACCOUNT); 347 347 if (!meter) 348 348 return ERR_PTR(-ENOMEM); 349 349 ··· 687 687 }, 688 688 { .cmd = OVS_METER_CMD_SET, 689 689 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 690 - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN 691 - * privilege. 692 - */ 690 + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN 691 + * privilege. 692 + */ 693 693 .doit = ovs_meter_cmd_set, 694 694 }, 695 695 { .cmd = OVS_METER_CMD_GET, ··· 699 699 }, 700 700 { .cmd = OVS_METER_CMD_DEL, 701 701 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 702 - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN 703 - * privilege. 704 - */ 702 + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN 703 + * privilege. 704 + */ 705 705 .doit = ovs_meter_cmd_del 706 706 }, 707 707 };