From patchwork Fri Jul 20 21:56:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Hicks X-Patchwork-Id: 947236 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41XPs41KGQz9s7X for ; Sat, 21 Jul 2018 07:58:16 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731696AbeGTWrw (ORCPT ); Fri, 20 Jul 2018 18:47:52 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:37645 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728214AbeGTWrw (ORCPT ); Fri, 20 Jul 2018 18:47:52 -0400 Received: from 2.general.tyhicks.us.vpn ([10.172.64.53] helo=sec.l.tihix.com) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1fgdP8-0004ZT-Lf; Fri, 20 Jul 2018 21:57:38 +0000 From: Tyler Hicks To: Greg Kroah-Hartman , Tejun Heo , "David S. Miller" , Stephen Hemminger Cc: Dmitry Torokhov , "Eric W. Biederman" , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, bridge@lists.linux-foundation.org, Linux Containers Subject: [PATCH net-next v3 5/8] net-sysfs: require net admin in the init ns for setting tx_maxrate Date: Fri, 20 Jul 2018 21:56:51 +0000 Message-Id: <1532123814-1109-6-git-send-email-tyhicks@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1532123814-1109-1-git-send-email-tyhicks@canonical.com> References: <1532123814-1109-1-git-send-email-tyhicks@canonical.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org An upcoming change will allow container root to open some /sys/class/net files for writing. The tx_maxrate attribute can result in changes to actual hardware devices so err on the side of caution by requiring CAP_NET_ADMIN in the init namespace in the corresponding attribute store operation. Signed-off-by: Tyler Hicks --- net/core/net-sysfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index ffa1d18f2c2c..405c41ecb20b 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -1087,6 +1087,9 @@ static ssize_t tx_maxrate_store(struct netdev_queue *queue, int err, index = get_netdev_queue_index(queue); u32 rate = 0; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + err = kstrtou32(buf, 10, &rate); if (err < 0) return err;