network: refuse to create unsupported net types

Containers setup by unprivileged users are only able to create veth network types. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: refuse to create unsupported net types
d1826cf1 · Christian Brauner · e337179a · d1826cf1
Unverified Commit d1826cf1 authored Jun 18, 2017 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 2 deletions

conf.c src/lxc/conf.c +16 -2

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2329,8 +2329,9 @@ static int setup_ipv6_addr(struct lxc_list *ip, int ifindex)
 static int lxc_setup_netdev_in_child_namespaces(struct lxc_netdev *netdev)
 {
 	char ifname[IFNAMSIZ];
-	char *current_ifname = ifname;
 	int err;
+	const char *net_type_name;
+	char *current_ifname = ifname;
 	/* empty network namespace */
 	if (!netdev->ifindex) {
@@ -2342,8 +2343,21 @@ static int lxc_setup_netdev_in_child_namespaces(struct lxc_netdev *netdev)
 				return -1;
 			}
 		}
-		if (netdev->type != LXC_NET_VETH)
+		if (netdev->type == LXC_NET_EMPTY)
+			return 0;
+		if (netdev->type == LXC_NET_NONE)
 			return 0;
+		if (netdev->type != LXC_NET_VETH) {
+			net_type_name = lxc_net_type_to_str(netdev->type);
+			ERROR("%s networks are not supported for containers "
+			      "not setup up by privileged users",
+			      net_type_name);
+			return -1;
+		}
 		netdev->ifindex = if_nametoindex(netdev->name);
 	}