[Question] Should `CAP_NET_ADMIN` be needed when opening `/dev/ppp`?

From: Wang Shanker
Date: Sun May 01 2016 - 09:39:15 EST

Hi, all.

I’ve recently met some problems when trying to create a pppoe network link
inside a unprivileged container. There is a uid namespace which maps root
inside to a normal user outside. There is also a separate net namespace in the
container. I create a dev node inside the container and set right

However, `/dev/ppp` cannot get opened since the mapped normal user does not
have `CAP_NET_ADMIN`. The related code is in `drivers/net/ppp/ppp_generic.c`:
`int ppp_open()`

static int ppp_open(struct inode *inode, struct file *file)
* This could (should?) be enforced by the permissions on /dev/ppp.
if (!capable(CAP_NET_ADMIN))
return -EPERM;
return 0;

I wonder why CAP_NET_ADMIN is needed here, rather than leaving it to the
permission of the device node. If there is no need, I suggest that the
CAP_NET_ADMIN check be removed.