net: openvswitch: allow conntrack in non-initial user namespace

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2134560
Upstream Status: linux.git

commit 59cd7377660a76780bfdd9fd26da058bcca5320d
Author: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Date:   Fri Sep 23 15:38:20 2022 +0200

    net: openvswitch: allow conntrack in non-initial user namespace

    Similar to the previous commit, the Netlink interface of the OVS
    conntrack module was restricted to global CAP_NET_ADMIN by using
    GENL_ADMIN_PERM. This is changed to GENL_UNS_ADMIN_PERM to support
    unprivileged containers in non-initial user namespace.

    Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Signed-off-by: Antoine Tenart <atenart@redhat.com>

net/openvswitch/conntrack.c

@@ -1982,7 +1982,8 @@ static int ovs_ct_limit_set_zone_limit(struct nlattr *nla_zone_limit,
 		} else {
 			struct ovs_ct_limit *ct_limit;
 
-			ct_limit = kmalloc(sizeof(*ct_limit), GFP_KERNEL);
+			ct_limit = kmalloc(sizeof(*ct_limit),
+					   GFP_KERNEL_ACCOUNT);
 			if (!ct_limit)
 				return -ENOMEM;
 
@@ -2252,14 +2253,16 @@ exit_err:
 static const struct genl_small_ops ct_limit_genl_ops[] = {
 	{ .cmd = OVS_CT_LIMIT_CMD_SET,
 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
-		.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
-					   * privilege. */
+		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN
+					       * privilege.
+					       */
 		.doit = ovs_ct_limit_cmd_set,
 	},
 	{ .cmd = OVS_CT_LIMIT_CMD_DEL,
 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
-		.flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN
-					   * privilege. */
+		.flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN
+					       * privilege.
+					       */
 		.doit = ovs_ct_limit_cmd_del,
 	},
 	{ .cmd = OVS_CT_LIMIT_CMD_GET,