1. 21 Jul, 2018 8 commits
    • Tyler Hicks's avatar
      net-sysfs: require net admin in the init ns for setting tx_maxrate · 3033fced
      Tyler Hicks authored
      An upcoming change will allow container root to open some /sys/class/net
      files for writing. The tx_maxrate attribute can result in changes
      to actual hardware devices so err on the side of caution by requiring
      CAP_NET_ADMIN in the init namespace in the corresponding attribute store
      operation.
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3033fced
    • Dmitry Torokhov's avatar
      driver core: set up ownership of class devices in sysfs · 9944e894
      Dmitry Torokhov authored
      Plumb in get_ownership() callback for devices belonging to a class so that
      they can be created with uid/gid different from global root. This will
      allow network devices in a container to belong to container's root and not
      global root.
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Reviewed-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9944e894
    • Dmitry Torokhov's avatar
      kobject: kset_create_and_add() - fetch ownership info from parent · d028b6f7
      Dmitry Torokhov authored
      This change implements get_ownership() for ksets created with
      kset_create_and_add() call by fetching ownership data from parent kobject.
      This is done mostly for benefit of "queues" attribute of net devices so
      that corresponding directory belongs to container's root instead of global
      root for network devices in a container.
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Reviewed-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d028b6f7
    • Dmitry Torokhov's avatar
      sysfs, kobject: allow creating kobject belonging to arbitrary users · 5f81880d
      Dmitry Torokhov authored
      Normally kobjects and their sysfs representation belong to global root,
      however it is not necessarily the case for objects in separate namespaces.
      For example, objects in separate network namespace logically belong to the
      container's root and not global root.
      
      This change lays groundwork for allowing network namespace objects
      ownership to be transferred to container's root user by defining
      get_ownership() callback in ktype structure and using it in sysfs code to
      retrieve desired uid/gid when creating sysfs objects for given kobject.
      Co-Developed-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f81880d
    • Dmitry Torokhov's avatar
      kernfs: allow creating kernfs objects with arbitrary uid/gid · 488dee96
      Dmitry Torokhov authored
      This change allows creating kernfs files and directories with arbitrary
      uid/gid instead of always using GLOBAL_ROOT_UID/GID by extending
      kernfs_create_dir_ns() and kernfs_create_file_ns() with uid/gid arguments.
      The "simple" kernfs_create_file() and kernfs_create_dir() are left alone
      and always create objects belonging to the global root.
      
      When creating symlinks ownership (uid/gid) is taken from the target kernfs
      object.
      Co-Developed-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      488dee96
    • David S. Miller's avatar
      net: Init backlog NAPI's gro_hash. · 7c4ec749
      David S. Miller authored
      Based upon a patch by Sean Tranchetti.
      
      Fixes: d4546c25 ("net: Convert GRO SKB handling to list_head.")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7c4ec749
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · 99d20a46
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS updates for net-next
      
      The following patchset contains Netfilter/IPVS updates for your net-next
      tree:
      
      1) No need to set ttl from reject action for the bridge family, from
         Taehee Yoo.
      
      2) Use a fixed timeout for flow that are passed up from the flowtable
         to conntrack, from Florian Westphal.
      
      3) More preparation patches for tproxy support for nf_tables, from Mate
         Eckl.
      
      4) Remove unnecessary indirection in core IPv6 checksum function, from
         Florian Westphal.
      
      5) Use nf_ct_get_tuplepr() from openvswitch, instead of opencoding it.
         From Florian Westphal.
      
      6) socket match now selects socket infrastructure, instead of depending
         on it. From Mate Eckl.
      
      7) Patch series to simplify conntrack tuple building/parsing from packet
         path and ctnetlink, from Florian Westphal.
      
      8) Fetch timeout policy from protocol helpers, instead of doing it from
         core, from Florian Westphal.
      
      9) Merge IPv4 and IPv6 protocol trackers into conntrack core, from
         Florian Westphal.
      
      10) Depend on CONFIG_NF_TABLES_IPV6 and CONFIG_IP6_NF_IPTABLES
          respectively, instead of IPV6. Patch from Mate Eckl.
      
      11) Add specific function for garbage collection in conncount,
          from Yi-Hung Wei.
      
      12) Catch number of elements in the connlimit list, from Yi-Hung Wei.
      
      13) Move locking to nf_conncount, from Yi-Hung Wei.
      
      14) Series of patches to add lockless tree traversal in nf_conncount,
          from Yi-Hung Wei.
      
      15) Resolve clash in matching conntracks when race happens, from
          Martynas Pumputis.
      
      16) If connection entry times out, remove template entry from the
          ip_vs_conn_tab table to improve behaviour under flood, from
          Julian Anastasov.
      
      17) Remove useless parameter from nf_ct_helper_ext_add(), from Gao feng.
      
      18) Call abort from 2-phase commit protocol before requesting modules,
          make sure this is done under the mutex, from Florian Westphal.
      
      19) Grab module reference when starting transaction, also from Florian.
      
      20) Dynamically allocate expression info array for pre-parsing, from
          Florian.
      
      21) Add per netns mutex for nf_tables, from Florian Westphal.
      
      22) A couple of patches to simplify and refactor nf_osf code to prepare
          for nft_osf support.
      
      23) Break evaluation on missing socket, from Mate Eckl.
      
      24) Allow to match socket mark from nft_socket, from Mate Eckl.
      
      25) Remove dependency on nf_defrag_ipv6, now that IPv6 tracker is
          built-in into nf_conntrack. From Florian Westphal.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99d20a46
    • David S. Miller's avatar
      Merge ra.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux · c4c5551d
      David S. Miller authored
      All conflicts were trivial overlapping changes, so reasonably
      easy to resolve.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4c5551d
  2. 20 Jul, 2018 26 commits
  3. 19 Jul, 2018 6 commits