Commit df008c91 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by David S. Miller

net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm

Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.

Allow creation of af_key sockets.
Allow creation of llc sockets.
Allow creation of af_packet sockets.

Allow sending xfrm netlink control messages.

Allow binding to netlink multicast groups.
Allow sending to netlink multicast groups.
Allow adding and dropping netlink multicast groups.
Allow sending to all netlink multicast groups and port ids.

Allow reading the netfilter SO_IP_SET socket option.
Allow sending netfilter netlink messages.
Allow setting and getting ip_vs netfilter socket options.
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent af31f412
...@@ -141,7 +141,7 @@ static int pfkey_create(struct net *net, struct socket *sock, int protocol, ...@@ -141,7 +141,7 @@ static int pfkey_create(struct net *net, struct socket *sock, int protocol,
struct sock *sk; struct sock *sk;
int err; int err;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
if (sock->type != SOCK_RAW) if (sock->type != SOCK_RAW)
return -ESOCKTNOSUPPORT; return -ESOCKTNOSUPPORT;
......
...@@ -160,7 +160,7 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol, ...@@ -160,7 +160,7 @@ static int llc_ui_create(struct net *net, struct socket *sock, int protocol,
struct sock *sk; struct sock *sk;
int rc = -ESOCKTNOSUPPORT; int rc = -ESOCKTNOSUPPORT;
if (!capable(CAP_NET_RAW)) if (!ns_capable(net->user_ns, CAP_NET_RAW))
return -EPERM; return -EPERM;
if (!net_eq(net, &init_net)) if (!net_eq(net, &init_net))
......
...@@ -1643,7 +1643,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len) ...@@ -1643,7 +1643,7 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
void *data; void *data;
int copylen = *len, ret = 0; int copylen = *len, ret = 0;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
if (optval != SO_IP_SET) if (optval != SO_IP_SET)
return -EBADF; return -EBADF;
......
...@@ -2339,7 +2339,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) ...@@ -2339,7 +2339,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
struct ip_vs_dest_user_kern udest; struct ip_vs_dest_user_kern udest;
struct netns_ipvs *ipvs = net_ipvs(net); struct netns_ipvs *ipvs = net_ipvs(net);
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX) if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
...@@ -2632,7 +2632,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) ...@@ -2632,7 +2632,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct netns_ipvs *ipvs = net_ipvs(net); struct netns_ipvs *ipvs = net_ipvs(net);
BUG_ON(!net); BUG_ON(!net);
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX) if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
......
...@@ -138,7 +138,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -138,7 +138,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
const struct nfnetlink_subsystem *ss; const struct nfnetlink_subsystem *ss;
int type, err; int type, err;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
/* All the messages must at least contain nfgenmsg */ /* All the messages must at least contain nfgenmsg */
......
...@@ -612,7 +612,7 @@ static int netlink_autobind(struct socket *sock) ...@@ -612,7 +612,7 @@ static int netlink_autobind(struct socket *sock)
static inline int netlink_capable(const struct socket *sock, unsigned int flag) static inline int netlink_capable(const struct socket *sock, unsigned int flag)
{ {
return (nl_table[sock->sk->sk_protocol].flags & flag) || return (nl_table[sock->sk->sk_protocol].flags & flag) ||
capable(CAP_NET_ADMIN); ns_capable(sock_net(sock->sk)->user_ns, CAP_NET_ADMIN);
} }
static void static void
......
...@@ -2504,7 +2504,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, ...@@ -2504,7 +2504,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
__be16 proto = (__force __be16)protocol; /* weird, but documented */ __be16 proto = (__force __be16)protocol; /* weird, but documented */
int err; int err;
if (!capable(CAP_NET_RAW)) if (!ns_capable(net->user_ns, CAP_NET_RAW))
return -EPERM; return -EPERM;
if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW && if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&
sock->type != SOCK_PACKET) sock->type != SOCK_PACKET)
......
...@@ -2349,7 +2349,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -2349,7 +2349,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
link = &xfrm_dispatch[type]; link = &xfrm_dispatch[type];
/* All operations require privileges, even GET */ /* All operations require privileges, even GET */
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) || if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment