From patchwork Fri Nov 16 13:03:00 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Eric W. Biederman" X-Patchwork-Id: 199574 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 8F5832C0092 for ; Sat, 17 Nov 2012 00:03:56 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751773Ab2KPNDy (ORCPT ); Fri, 16 Nov 2012 08:03:54 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:59430 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751765Ab2KPNDx (ORCPT ); Fri, 16 Nov 2012 08:03:53 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1TZLaK-0004uY-FC; Fri, 16 Nov 2012 06:03:52 -0700 Received: from c-98-207-153-68.hsd1.ca.comcast.net ([98.207.153.68] helo=eric-ThinkPad-X220.int.ebiederm.org) by in02.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1TZLaF-0007nH-Uc; Fri, 16 Nov 2012 06:03:52 -0700 From: "Eric W. Biederman" To: David Miller Cc: , Serge Hallyn , Linux Containers , "Eric W. Biederman" Date: Fri, 16 Nov 2012 05:03:00 -0800 Message-Id: <1353070992-5552-5-git-send-email-ebiederm@xmission.com> X-Mailer: git-send-email 1.7.5.4 In-Reply-To: <1353070992-5552-1-git-send-email-ebiederm@xmission.com> References: <87d2zd8zwn.fsf@xmission.com> <1353070992-5552-1-git-send-email-ebiederm@xmission.com> X-XM-AID: U2FsdGVkX184HDDn8UhX8wpgTjiz08OK77l0k8XE/Vo= X-SA-Exim-Connect-IP: 98.207.153.68 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sa05.xmission.com X-Spam-Level: * X-Spam-Status: No, score=1.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE, TR_Symld_Words, T_TM2_M_HEADER_IN_MSG, T_TooManySym_01, T_TooManySym_02, T_TooManySym_03, T_TooManySym_04, T_XMDrugObfuBody_08, XMSubLong autolearn=disabled version=3.3.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 TR_Symld_Words too many words that have symbols inside * 0.1 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: T_TM2_M_HEADER_IN_MSG * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa05 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_04 7+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject * 0.0 T_XMDrugObfuBody_08 obfuscated drug references * 0.0 T_TooManySym_03 6+ unique symbols in subject * 0.0 T_TooManySym_02 5+ unique symbols in subject X-Spam-DCC: XMission; sa05 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;David Miller X-Spam-Relay-Country: Subject: [PATCH net-next 05/17] net: Push capable(CAP_NET_ADMIN) into the rtnl methods X-SA-Exim-Version: 4.2.1 (built Sun, 08 Jan 2012 03:05:19 +0000) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: "Eric W. Biederman" - In rtnetlink_rcv_msg convert the capable(CAP_NET_ADMIN) check to ns_capable(net->user-ns, CAP_NET_ADMIN). Allowing unprivileged users to make netlink calls to modify their local network namespace. - In the rtnetlink doit methods add capable(CAP_NET_ADMIN) so that calls that are not safe for unprivileged users are still protected. Later patches will remove the extra capable calls from methods that are safe for unprivilged users. Acked-by: Serge Hallyn Signed-off-by: "Eric W. Biederman" --- net/bridge/br_netlink.c | 3 +++ net/can/gw.c | 6 ++++++ net/core/fib_rules.c | 6 ++++++ net/core/neighbour.c | 9 +++++++++ net/core/rtnetlink.c | 17 ++++++++++++++++- net/dcb/dcbnl.c | 3 +++ net/decnet/dn_dev.c | 6 ++++++ net/decnet/dn_fib.c | 6 ++++++ net/ipv4/devinet.c | 6 ++++++ net/ipv4/fib_frontend.c | 6 ++++++ net/ipv6/addrconf.c | 6 ++++++ net/ipv6/addrlabel.c | 3 +++ net/ipv6/route.c | 6 ++++++ net/phonet/pn_netlink.c | 6 ++++++ net/sched/act_api.c | 3 +++ net/sched/cls_api.c | 2 ++ net/sched/sch_api.c | 9 +++++++++ 17 files changed, 102 insertions(+), 1 deletions(-) diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index 093f527..251d558 100644 --- a/net/bridge/br_netlink.c +++ b/net/bridge/br_netlink.c @@ -153,6 +153,9 @@ static int br_rtm_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct net_bridge_port *p; u8 new_state; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlmsg_len(nlh) < sizeof(*ifm)) return -EINVAL; diff --git a/net/can/gw.c b/net/can/gw.c index 1f5c978..574dda7 100644 --- a/net/can/gw.c +++ b/net/can/gw.c @@ -751,6 +751,9 @@ static int cgw_create_job(struct sk_buff *skb, struct nlmsghdr *nlh, struct cgw_job *gwj; int err = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlmsg_len(nlh) < sizeof(*r)) return -EINVAL; @@ -839,6 +842,9 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct can_can_gw ccgw; int err = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlmsg_len(nlh) < sizeof(*r)) return -EINVAL; diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index 58a4ba2..bf5b5b8 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c @@ -275,6 +275,9 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) struct nlattr *tb[FRA_MAX+1]; int err = -EINVAL, unresolved = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) goto errout; @@ -424,6 +427,9 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) struct nlattr *tb[FRA_MAX+1]; int err = -EINVAL; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) goto errout; diff --git a/net/core/neighbour.c b/net/core/neighbour.c index f1c0c2e..7adcdaf 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1620,6 +1620,9 @@ static int neigh_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct net_device *dev = NULL; int err = -EINVAL; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + ASSERT_RTNL(); if (nlmsg_len(nlh) < sizeof(*ndm)) goto out; @@ -1684,6 +1687,9 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct net_device *dev = NULL; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + ASSERT_RTNL(); err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL); if (err < 0) @@ -1962,6 +1968,9 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct nlattr *tb[NDTA_MAX+1]; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = nlmsg_parse(nlh, sizeof(*ndtmsg), tb, NDTA_MAX, nl_neightbl_policy); if (err < 0) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 76d4c2c..5d55c30 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1547,6 +1547,9 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct nlattr *tb[IFLA_MAX+1]; char ifname[IFNAMSIZ]; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); if (err < 0) goto errout; @@ -1590,6 +1593,9 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) int err; LIST_HEAD(list_kill); + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); if (err < 0) return err; @@ -1720,6 +1726,9 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct nlattr *linkinfo[IFLA_INFO_MAX+1]; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + #ifdef CONFIG_MODULES replay: #endif @@ -2057,6 +2066,9 @@ static int rtnl_fdb_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) u8 *addr; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL); if (err < 0) return err; @@ -2123,6 +2135,9 @@ static int rtnl_fdb_del(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) int err = -EINVAL; __u8 *addr; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (nlmsg_len(nlh) < sizeof(*ndm)) return -EINVAL; @@ -2282,7 +2297,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) sz_idx = type>>2; kind = type&3; - if (kind != 2 && !capable(CAP_NET_ADMIN)) + if (kind != 2 && !ns_capable(net->user_ns, CAP_NET_ADMIN)) return -EPERM; if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) { diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c index 70989e6..b07c75d 100644 --- a/net/dcb/dcbnl.c +++ b/net/dcb/dcbnl.c @@ -1662,6 +1662,9 @@ static int dcb_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct nlmsghdr *reply_nlh = NULL; const struct reply_func *fn; + if ((nlh->nlmsg_type == RTM_SETDCB) && !capable(CAP_NET_ADMIN)) + return -EPERM; + if (!net_eq(net, &init_net)) return -EINVAL; diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c index 7b7e561..e47ba9f 100644 --- a/net/decnet/dn_dev.c +++ b/net/decnet/dn_dev.c @@ -573,6 +573,9 @@ static int dn_nl_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct dn_ifaddr __rcu **ifap; int err = -EINVAL; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!net_eq(net, &init_net)) goto errout; @@ -614,6 +617,9 @@ static int dn_nl_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct dn_ifaddr *ifa; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!net_eq(net, &init_net)) return -EINVAL; diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c index 102d610..e36614e 100644 --- a/net/decnet/dn_fib.c +++ b/net/decnet/dn_fib.c @@ -520,6 +520,9 @@ static int dn_fib_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void * struct rtattr **rta = arg; struct rtmsg *r = NLMSG_DATA(nlh); + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!net_eq(net, &init_net)) return -EINVAL; @@ -540,6 +543,9 @@ static int dn_fib_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh, void * struct rtattr **rta = arg; struct rtmsg *r = NLMSG_DATA(nlh); + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!net_eq(net, &init_net)) return -EINVAL; diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index 66df8d1..ae95f64 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -538,6 +538,9 @@ static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg ASSERT_RTNL(); + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy); if (err < 0) goto errout; @@ -645,6 +648,9 @@ static int inet_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg ASSERT_RTNL(); + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + ifa = rtm_to_ifaddr(net, nlh); if (IS_ERR(ifa)) return PTR_ERR(ifa); diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 825c608..bce4541 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -613,6 +613,9 @@ static int inet_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *ar struct fib_table *tb; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = rtm_to_fib_config(net, skb, nlh, &cfg); if (err < 0) goto errout; @@ -635,6 +638,9 @@ static int inet_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *ar struct fib_table *tb; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = rtm_to_fib_config(net, skb, nlh, &cfg); if (err < 0) goto errout; diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 6378be4..47c591d 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -3369,6 +3369,9 @@ inet6_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct in6_addr *pfx; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy); if (err < 0) return err; @@ -3439,6 +3442,9 @@ inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) u8 ifa_flags; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy); if (err < 0) return err; diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c index ff76eec..b106f80 100644 --- a/net/ipv6/addrlabel.c +++ b/net/ipv6/addrlabel.c @@ -425,6 +425,9 @@ static int ip6addrlbl_newdel(struct sk_buff *skb, struct nlmsghdr *nlh, u32 label; int err = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = nlmsg_parse(nlh, sizeof(*ifal), tb, IFAL_MAX, ifal_policy); if (err < 0) return err; diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 551fb82..2a98397 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2336,6 +2336,9 @@ static int inet6_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *a struct fib6_config cfg; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = rtm_to_fib6_config(skb, nlh, &cfg); if (err < 0) return err; @@ -2348,6 +2351,9 @@ static int inet6_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *a struct fib6_config cfg; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = rtm_to_fib6_config(skb, nlh, &cfg); if (err < 0) return err; diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c index 83a8389..0193630 100644 --- a/net/phonet/pn_netlink.c +++ b/net/phonet/pn_netlink.c @@ -70,6 +70,9 @@ static int addr_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *attr) int err; u8 pnaddr; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!capable(CAP_SYS_ADMIN)) return -EPERM; @@ -230,6 +233,9 @@ static int route_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *attr) int err; u8 dst; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (!capable(CAP_SYS_ADMIN)) return -EPERM; diff --git a/net/sched/act_api.c b/net/sched/act_api.c index 102761d..65d240c 100644 --- a/net/sched/act_api.c +++ b/net/sched/act_api.c @@ -987,6 +987,9 @@ static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg) u32 portid = skb ? NETLINK_CB(skb).portid : 0; int ret = 0, ovr = 0; + if ((n->nlmsg_type != RTM_GETACTION) && !capable(CAP_NET_ADMIN)) + return -EPERM; + ret = nlmsg_parse(n, sizeof(struct tcamsg), tca, TCA_ACT_MAX, NULL); if (ret < 0) return ret; diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 7ae0289..ff55ed6 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -139,6 +139,8 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n, void *arg) int err; int tp_created = 0; + if ((n->nlmsg_type != RTM_GETTFILTER) && !capable(CAP_NET_ADMIN)) + return -EPERM; replay: t = nlmsg_data(n); protocol = TC_H_MIN(t->tcm_info); diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index a18d975..7dae9d0 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -981,6 +981,9 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg) struct Qdisc *p = NULL; int err; + if ((n->nlmsg_type != RTM_GETQDISC) && !capable(CAP_NET_ADMIN)) + return -EPERM; + dev = __dev_get_by_index(net, tcm->tcm_ifindex); if (!dev) return -ENODEV; @@ -1044,6 +1047,9 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg) struct Qdisc *q, *p; int err; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + replay: /* Reinit, just in case something touches this. */ tcm = nlmsg_data(n); @@ -1380,6 +1386,9 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg) u32 qid = TC_H_MAJ(clid); int err; + if ((n->nlmsg_type != RTM_GETTCLASS) && !capable(CAP_NET_ADMIN)) + return -EPERM; + dev = __dev_get_by_index(net, tcm->tcm_ifindex); if (!dev) return -ENODEV;