[net-next,v3,5/8] net-sysfs: require net admin in the init ns for setting tx_maxrate

Make /sys/class/net per net namespace objects belong to container

Commit Message

Tyler Hicks July 20, 2018, 9:56 p.m. UTC
An upcoming change will allow container root to open some /sys/class/net
files for writing. The tx_maxrate attribute can result in changes
to actual hardware devices so err on the side of caution by requiring
CAP_NET_ADMIN in the init namespace in the corresponding attribute store

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index ffa1d18f2c2c..405c41ecb20b 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1087,6 +1087,9 @@  static ssize_t tx_maxrate_store(struct netdev_queue *queue,
 	int err, index = get_netdev_queue_index(queue);
 	u32 rate = 0;
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
 	err = kstrtou32(buf, 10, &rate);
 	if (err < 0)
 		return err;