[net,2/2] net: Verify permission to link_net in newlink

Message ID	877fv4mi20.fsf_-_@x220.int.ebiederm.org
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: ebiederm@xmission.com (Eric W. Biederman) To: David Miller <davem@davemloft.net> Cc: Eugene Yakubovich <eugene.yakubovich@coreos.com>, netdev@vger.kernel.org, nicolas.dichtel@6wind.com References: <CAOYZPENnpPP-N-ST3xYE7vcCFhbNd-FMKj9OvBebYSMu42OdaQ@mail.gmail.com> <54EDF7BB.2060809@6wind.com> <871tldstju.fsf_-_@x220.int.ebiederm.org> <54EEDF9C.20302@6wind.com> <87wq34okb9.fsf@x220.int.ebiederm.org> <54EF3338.8000409@6wind.com> <87egpcmi3v.fsf_-_@x220.int.ebiederm.org> Date: Thu, 26 Feb 2015 16:20:07 -0600 In-Reply-To: <87egpcmi3v.fsf_-_@x220.int.ebiederm.org> (Eric W. Biederman's message of "Thu, 26 Feb 2015 16:19:00 -0600") Message-ID: <877fv4mi20.fsf_-_@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject parse: 1.13 (0.9%), extract_message_metadata: 11 (8.7%), get_uri_detail_list: 1.28 (1.0%), tests_pri_-1000: 4.4 (3.5%), tests_pri_-950: 1.01 (0.8%), tests_pri_-900: 0.84 (0.7%), tests_pri_-400: 13 (10.4%), check_bayes: 12 (9.7%), b_tokenize: 3.4 (2.7%), b_tok_get_all: 4.0 (3.2%), b_comp_prob: 1.09 (0.9%), b_tok_touch_all: 2.0 (1.6%), b_finish: 0.60 (0.5%), tests_pri_0: 84 (66.1%), tests_pri_500: 4.3 (3.4%), rewrite_mail: 0.00 (0.0%) Subject: [PATCH net 2/2] net: Verify permission to link_net in newlink Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

877fv4mi20.fsf_-_@x220.int.ebiederm.org

State

Accepted, archived

Delegated to:

David Miller

Headers

From: ebiederm@xmission.com (Eric W. Biederman)
To: David Miller <davem@davemloft.net>
Cc: Eugene Yakubovich <eugene.yakubovich@coreos.com>,
	netdev@vger.kernel.org, nicolas.dichtel@6wind.com
References: <CAOYZPENnpPP-N-ST3xYE7vcCFhbNd-FMKj9OvBebYSMu42OdaQ@mail.gmail.com>
	<54EDF7BB.2060809@6wind.com>
	<871tldstju.fsf_-_@x220.int.ebiederm.org>
	<54EEDF9C.20302@6wind.com> <87wq34okb9.fsf@x220.int.ebiederm.org>
	<54EF3338.8000409@6wind.com>
	<87egpcmi3v.fsf_-_@x220.int.ebiederm.org>
Date: Thu, 26 Feb 2015 16:20:07 -0600
In-Reply-To: <87egpcmi3v.fsf_-_@x220.int.ebiederm.org> (Eric W. Biederman's
	message of "Thu, 26 Feb 2015 16:19:00 -0600")
Message-ID: <877fv4mi20.fsf_-_@x220.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: [PATCH net 2/2] net: Verify permission to link_net in newlink
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Eric W. Biederman Feb. 26, 2015, 10:20 p.m. UTC

When applicable verify that the caller has permisson to the underlying
network namespace for a newly created network device.

Similary checks exist for the network namespace a network device will
be created in.

Fixes: v4.0-rc1
Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
 net/core/rtnetlink.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Nicolas Dichtel Feb. 27, 2015, 9:03 a.m. UTC | #1

Le 26/02/2015 23:20, Eric W. Biederman a écrit :
>
> When applicable verify that the caller has permisson to the underlying
> network namespace for a newly created network device.
>
> Similary checks exist for the network namespace a network device will
> be created in.
>
> Fixes: v4.0-rc1
Fixes: 317f4810e45e ("rtnl: allow to create device with IFLA_LINK_NETNSID set")
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Miller Feb. 28, 2015, 8:15 p.m. UTC | #2

From: ebiederm@xmission.com (Eric W. Biederman)
Date: Thu, 26 Feb 2015 16:20:07 -0600

> When applicable verify that the caller has permisson to the underlying
> network namespace for a newly created network device.
> 
> Similary checks exist for the network namespace a network device will
> be created in.
> 
> Fixes: v4.0-rc1
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 155e675f656c..0a0b1c081d68 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2134,6 +2134,9 @@  replay:
 				err =  -EINVAL;
 				goto out;
 			}
+			err = -EPERM;
+			if (!netlink_ns_capable(skb, link_net->user_ns, CAP_NET_ADMIN))
+				goto out;
 		}
 
 		dev = rtnl_create_link(link_net ? : dest_net, ifname,

[net,2/2] net: Verify permission to link_net in newlink

Commit Message

Comments

Patch