git.proxmox.com Git - mirror

lxc-user-nic: test privilege over netns on delete

When lxc-user-nic is called with the "delete" subcommand we need to make sure
that we are actually privileged over the network namespace for which we are
supposed to delete devices on the host. To this end we require that path to the
affected network namespace is passed. We then setns() to the network namespace
and drop privilege to the caller's real user id. Then we try to delete the
loopback interface which is not possible. If we are privileged over the network
namespace this operation will fail with ENOTSUP. If we are not privileged over
the network namespace we will get EPERM.

This is the first part of the commit. As of now nothing guarantees that the
caller does not just give us a random path to a network namespace it is
privileged over.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

author	Christian Brauner <christian.brauner@ubuntu.com>
	Wed, 30 Aug 2017 23:32:39 +0000 (01:32 +0200)
committer	Christian Brauner <christian.brauner@ubuntu.com>
	Thu, 31 Aug 2017 13:30:06 +0000 (15:30 +0200)
commit	1bd8d726a7449c7b8b7e0ca84c4bae0ff193f8a8
tree	cb7267de7a02e5147e04bb03bd498a9fc3799b69	tree
parent	70a498157a8d44ea95c77adb5096fa829dd54e1d	commit \| diff

src/lxc/lxc_user_nic.c		diff \| blob \| blame \| history
src/lxc/network.c		diff \| blob \| blame \| history
src/lxc/network.h		diff \| blob \| blame \| history
src/lxc/start.c		diff \| blob \| blame \| history