From b51642f6d77b131dc85d1d71029c3cbb5b07c262 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Fri, 16 Nov 2012 03:03:11 +0000 Subject: [PATCH] net: Enable a userns root rtnl calls that are safe for unprivilged users - Only allow moving network devices to network namespaces you have CAP_NET_ADMIN privileges over. - Enable creating/deleting/modifying interfaces - Enable adding/deleting addresses - Enable adding/setting/deleting neighbour entries - Enable adding/removing routes - Enable adding/removing fib rules - Enable setting the forwarding state - Enable adding/removing ipv6 address labels - Enable setting bridge parameter Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller --- net/bridge/br_netlink.c | 3 --- net/core/fib_rules.c | 6 ------ net/core/neighbour.c | 9 --------- net/core/rtnetlink.c | 13 ++++--------- net/ipv4/devinet.c | 6 ------ net/ipv4/fib_frontend.c | 6 ------ net/ipv6/addrconf.c | 6 ------ net/ipv6/addrlabel.c | 3 --- net/ipv6/route.c | 6 ------ 9 files changed, 4 insertions(+), 54 deletions(-) diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index 49e14937019d..65429b99a2a3 100644 --- a/net/bridge/br_netlink.c +++ b/net/bridge/br_netlink.c @@ -240,9 +240,6 @@ int br_setlink(struct net_device *dev, struct nlmsghdr *nlh) struct nlattr *tb[IFLA_BRPORT_MAX]; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - ifm = nlmsg_data(nlh); protinfo = nlmsg_find_attr(nlh, sizeof(*ifm), IFLA_PROTINFO); diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index bf5b5b8af56e..58a4ba27dfe3 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c @@ -275,9 +275,6 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) struct nlattr *tb[FRA_MAX+1]; int err = -EINVAL, unresolved = 0; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) goto errout; @@ -427,9 +424,6 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) struct nlattr *tb[FRA_MAX+1]; int err = -EINVAL; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) goto errout; diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 7adcdaf91c4d..f1c0c2e9cad5 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1620,9 +1620,6 @@ static int neigh_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct net_device *dev = NULL; int err = -EINVAL; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - ASSERT_RTNL(); if (nlmsg_len(nlh) < sizeof(*ndm)) goto out; @@ -1687,9 +1684,6 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct net_device *dev = NULL; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - ASSERT_RTNL(); err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL); if (err < 0) @@ -1968,9 +1962,6 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct nlattr *tb[NDTA_MAX+1]; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = nlmsg_parse(nlh, sizeof(*ndtmsg), tb, NDTA_MAX, nl_neightbl_policy); if (err < 0) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index a40c10b96f47..575a6ee89944 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1316,6 +1316,10 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm, err = PTR_ERR(net); goto errout; } + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) { + err = -EPERM; + goto errout; + } err = dev_change_net_namespace(dev, net, ifname); put_net(net); if (err) @@ -1547,9 +1551,6 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct nlattr *tb[IFLA_MAX+1]; char ifname[IFNAMSIZ]; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); if (err < 0) goto errout; @@ -1593,9 +1594,6 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) int err; LIST_HEAD(list_kill); - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); if (err < 0) return err; @@ -1726,9 +1724,6 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct nlattr *linkinfo[IFLA_INFO_MAX+1]; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - #ifdef CONFIG_MODULES replay: #endif diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index 298c1c279739..e13183abd7f6 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -539,9 +539,6 @@ static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg ASSERT_RTNL(); - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy); if (err < 0) goto errout; @@ -649,9 +646,6 @@ static int inet_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg ASSERT_RTNL(); - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - ifa = rtm_to_ifaddr(net, nlh); if (IS_ERR(ifa)) return PTR_ERR(ifa); diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 784716a677ce..5cd75e2dab2c 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -613,9 +613,6 @@ static int inet_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *ar struct fib_table *tb; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = rtm_to_fib_config(net, skb, nlh, &cfg); if (err < 0) goto errout; @@ -638,9 +635,6 @@ static int inet_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *ar struct fib_table *tb; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = rtm_to_fib_config(net, skb, nlh, &cfg); if (err < 0) goto errout; diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index d39fe490da08..fc0e13ad6337 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -3514,9 +3514,6 @@ inet6_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) struct in6_addr *pfx; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy); if (err < 0) return err; @@ -3587,9 +3584,6 @@ inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) u8 ifa_flags; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy); if (err < 0) return err; diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c index b106f80be0c5..ff76eecfd622 100644 --- a/net/ipv6/addrlabel.c +++ b/net/ipv6/addrlabel.c @@ -425,9 +425,6 @@ static int ip6addrlbl_newdel(struct sk_buff *skb, struct nlmsghdr *nlh, u32 label; int err = 0; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = nlmsg_parse(nlh, sizeof(*ifal), tb, IFAL_MAX, ifal_policy); if (err < 0) return err; diff --git a/net/ipv6/route.c b/net/ipv6/route.c index a86b65599328..8f124f575116 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2446,9 +2446,6 @@ static int inet6_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *a struct fib6_config cfg; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = rtm_to_fib6_config(skb, nlh, &cfg); if (err < 0) return err; @@ -2464,9 +2461,6 @@ static int inet6_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *a struct fib6_config cfg; int err; - if (!capable(CAP_NET_ADMIN)) - return -EPERM; - err = rtm_to_fib6_config(skb, nlh, &cfg); if (err < 0) return err; -- 2.20.1