linux/net/l2tp
Michael Weiß 2abe05234f l2tp: Allow management of tunnels and session in user namespace
Creation and management of L2TPv3 tunnels and session through netlink
requires CAP_NET_ADMIN. However, a process with CAP_NET_ADMIN in a
non-initial user namespace gets an EPERM due to the use of the
genetlink GENL_ADMIN_PERM flag. Thus, management of L2TP VPNs inside
an unprivileged container won't work.

We replaced the GENL_ADMIN_PERM by the GENL_UNS_ADMIN_PERM flag
similar to other network modules which also had this problem, e.g.,
openvswitch (commit 4a92602aa1 "openvswitch: allow management from
inside user namespaces") and nl80211 (commit 5617c6cd6f "nl80211:
Allow privileged operations from user namespaces").

I tested this in the container runtime trustm3 (trustm3.github.io)
and was able to create l2tp tunnels and sessions in unpriviliged
(user namespaced) containers using a private network namespace.
For other runtimes such as docker or lxc this should work, too.

Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-04-08 14:30:46 -07:00
..
Kconfig
l2tp_core.c l2tp: Allow duplicate session creation with UDP 2020-02-04 12:35:49 +01:00
l2tp_core.h l2tp: Replace zero-length array with flexible-array member 2020-02-28 12:08:37 -08:00
l2tp_debugfs.c
l2tp_eth.c
l2tp_ip.c
l2tp_ip6.c
l2tp_netlink.c l2tp: Allow management of tunnels and session in user namespace 2020-04-08 14:30:46 -07:00
l2tp_ppp.c
Makefile