[Question] Should `CAP_NET_ADMIN` be needed when opening `/dev/ppp`?

From: Wang Shanker
Date: Sun May 01 2016 - 09:39:15 EST

Next message: Aleksa Sarai: "[PATCH v2] cgroup: allow management of subtrees by cgroup namespaces"
Previous message: Matt Fleming: "Re: efi_enabled(EFI_PARAVIRT) use"
Next in thread: Guillaume Nault: "Re: [Question] Should `CAP_NET_ADMIN` be needed when opening `/dev/ppp`?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, all.

I’ve recently met some problems when trying to create a pppoe network link
inside a unprivileged container. There is a uid namespace which maps root
inside to a normal user outside. There is also a separate net namespace in the
container. I create a dev node inside the container and set right
permission.

However, `/dev/ppp` cannot get opened since the mapped normal user does not
have `CAP_NET_ADMIN`. The related code is in `drivers/net/ppp/ppp_generic.c`:
`int ppp_open()`

```
static int ppp_open(struct inode *inode, struct file *file)
{
/*
* This could (should?) be enforced by the permissions on /dev/ppp.
*/
if (!capable(CAP_NET_ADMIN))
return -EPERM;
return 0;
}
```

I wonder why CAP_NET_ADMIN is needed here, rather than leaving it to the
permission of the device node. If there is no need, I suggest that the
CAP_NET_ADMIN check be removed.

Next message: Aleksa Sarai: "[PATCH v2] cgroup: allow management of subtrees by cgroup namespaces"
Previous message: Matt Fleming: "Re: efi_enabled(EFI_PARAVIRT) use"
Next in thread: Guillaume Nault: "Re: [Question] Should `CAP_NET_ADMIN` be needed when opening `/dev/ppp`?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]