Commit df008c91f83583e662ac54aee00004afc3f1894d
Committed by
David S. Miller
David S. Miller
1 parent
af31f412c7
Exists in
smarc-l5.0.0_1.0.0-ga
and in
5 other branches
net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm
Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Allow creation of af_key sockets. Allow creation of llc sockets. Allow creation of af_packet sockets. Allow sending xfrm netlink control messages. Allow binding to netlink multicast groups. Allow sending to netlink multicast groups. Allow adding and dropping netlink multicast groups. Allow sending to all netlink multicast groups and port ids. Allow reading the netfilter SO_IP_SET socket option. Allow sending netfilter netlink messages. Allow setting and getting ip_vs netfilter socket options. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 8 changed files with 9 additions and 9 deletions Side-by-side Diff
net/key/af_key.c
net/llc/af_llc.c
net/netfilter/ipset/ip_set_core.c
net/netfilter/ipvs/ip_vs_ctl.c
| ... | ... | @@ -2339,7 +2339,7 @@ |
| 2339 | 2339 | struct ip_vs_dest_user_kern udest; |
| 2340 | 2340 | struct netns_ipvs *ipvs = net_ipvs(net); |
| 2341 | 2341 | |
| 2342 | - if (!capable(CAP_NET_ADMIN)) | |
| 2342 | + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) | |
| 2343 | 2343 | return -EPERM; |
| 2344 | 2344 | |
| 2345 | 2345 | if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX) |
| ... | ... | @@ -2632,7 +2632,7 @@ |
| 2632 | 2632 | struct netns_ipvs *ipvs = net_ipvs(net); |
| 2633 | 2633 | |
| 2634 | 2634 | BUG_ON(!net); |
| 2635 | - if (!capable(CAP_NET_ADMIN)) | |
| 2635 | + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) | |
| 2636 | 2636 | return -EPERM; |
| 2637 | 2637 | |
| 2638 | 2638 | if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX) |
net/netfilter/nfnetlink.c
net/netlink/af_netlink.c
| ... | ... | @@ -612,7 +612,7 @@ |
| 612 | 612 | static inline int netlink_capable(const struct socket *sock, unsigned int flag) |
| 613 | 613 | { |
| 614 | 614 | return (nl_table[sock->sk->sk_protocol].flags & flag) || |
| 615 | - capable(CAP_NET_ADMIN); | |
| 615 | + ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN); | |
| 616 | 616 | } |
| 617 | 617 | |
| 618 | 618 | static void |
net/packet/af_packet.c
| ... | ... | @@ -2504,7 +2504,7 @@ |
| 2504 | 2504 | __be16 proto = (__force __be16)protocol; /* weird, but documented */ |
| 2505 | 2505 | int err; |
| 2506 | 2506 | |
| 2507 | - if (!capable(CAP_NET_RAW)) | |
| 2507 | + if (!ns_capable(net->user_ns, CAP_NET_RAW)) | |
| 2508 | 2508 | return -EPERM; |
| 2509 | 2509 | if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW && |
| 2510 | 2510 | sock->type != SOCK_PACKET) |
net/xfrm/xfrm_user.c
| ... | ... | @@ -2349,7 +2349,7 @@ |
| 2349 | 2349 | link = &xfrm_dispatch[type]; |
| 2350 | 2350 | |
| 2351 | 2351 | /* All operations require privileges, even GET */ |
| 2352 | - if (!capable(CAP_NET_ADMIN)) | |
| 2352 | + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) | |
| 2353 | 2353 | return -EPERM; |
| 2354 | 2354 | |
| 2355 | 2355 | if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || |