Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b51642f

Browse files
ebiedermdavem330
ebiederm
authored and
davem330
committed
net: Enable a userns root rtnl calls that are safe for unprivilged users
- Only allow moving network devices to network namespaces you have CAP_NET_ADMIN privileges over. - Enable creating/deleting/modifying interfaces - Enable adding/deleting addresses - Enable adding/setting/deleting neighbour entries - Enable adding/removing routes - Enable adding/removing fib rules - Enable setting the forwarding state - Enable adding/removing ipv6 address labels - Enable setting bridge parameter Signed-off-by: "Eric W. Biederman" <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent c027aab commit b51642f

File tree

9 files changed

+4
-54
lines changed

9 files changed

+4
-54
lines changed

net/bridge/br_netlink.c

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -240,9 +240,6 @@ int br_setlink(struct net_device *dev, struct nlmsghdr *nlh)
240240
struct nlattr *tb[IFLA_BRPORT_MAX];
241241
int err;
242242

243-
if (!capable(CAP_NET_ADMIN))
244-
return -EPERM;
245-
246243
ifm = nlmsg_data(nlh);
247244

248245
protinfo = nlmsg_find_attr(nlh, sizeof(*ifm), IFLA_PROTINFO);

net/core/fib_rules.c

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -275,9 +275,6 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
275275
struct nlattr *tb[FRA_MAX+1];
276276
int err = -EINVAL, unresolved = 0;
277277

278-
if (!capable(CAP_NET_ADMIN))
279-
return -EPERM;
280-
281278
if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
282279
goto errout;
283280

@@ -427,9 +424,6 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
427424
struct nlattr *tb[FRA_MAX+1];
428425
int err = -EINVAL;
429426

430-
if (!capable(CAP_NET_ADMIN))
431-
return -EPERM;
432-
433427
if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
434428
goto errout;
435429

net/core/neighbour.c

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1620,9 +1620,6 @@ static int neigh_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
16201620
struct net_device *dev = NULL;
16211621
int err = -EINVAL;
16221622

1623-
if (!capable(CAP_NET_ADMIN))
1624-
return -EPERM;
1625-
16261623
ASSERT_RTNL();
16271624
if (nlmsg_len(nlh) < sizeof(*ndm))
16281625
goto out;
@@ -1687,9 +1684,6 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
16871684
struct net_device *dev = NULL;
16881685
int err;
16891686

1690-
if (!capable(CAP_NET_ADMIN))
1691-
return -EPERM;
1692-
16931687
ASSERT_RTNL();
16941688
err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL);
16951689
if (err < 0)
@@ -1968,9 +1962,6 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
19681962
struct nlattr *tb[NDTA_MAX+1];
19691963
int err;
19701964

1971-
if (!capable(CAP_NET_ADMIN))
1972-
return -EPERM;
1973-
19741965
err = nlmsg_parse(nlh, sizeof(*ndtmsg), tb, NDTA_MAX,
19751966
nl_neightbl_policy);
19761967
if (err < 0)

net/core/rtnetlink.c

Lines changed: 4 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1316,6 +1316,10 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
13161316
err = PTR_ERR(net);
13171317
goto errout;
13181318
}
1319+
if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
1320+
err = -EPERM;
1321+
goto errout;
1322+
}
13191323
err = dev_change_net_namespace(dev, net, ifname);
13201324
put_net(net);
13211325
if (err)
@@ -1547,9 +1551,6 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
15471551
struct nlattr *tb[IFLA_MAX+1];
15481552
char ifname[IFNAMSIZ];
15491553

1550-
if (!capable(CAP_NET_ADMIN))
1551-
return -EPERM;
1552-
15531554
err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy);
15541555
if (err < 0)
15551556
goto errout;
@@ -1593,9 +1594,6 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
15931594
int err;
15941595
LIST_HEAD(list_kill);
15951596

1596-
if (!capable(CAP_NET_ADMIN))
1597-
return -EPERM;
1598-
15991597
err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy);
16001598
if (err < 0)
16011599
return err;
@@ -1726,9 +1724,6 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
17261724
struct nlattr *linkinfo[IFLA_INFO_MAX+1];
17271725
int err;
17281726

1729-
if (!capable(CAP_NET_ADMIN))
1730-
return -EPERM;
1731-
17321727
#ifdef CONFIG_MODULES
17331728
replay:
17341729
#endif

net/ipv4/devinet.c

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -539,9 +539,6 @@ static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg
539539

540540
ASSERT_RTNL();
541541

542-
if (!capable(CAP_NET_ADMIN))
543-
return -EPERM;
544-
545542
err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy);
546543
if (err < 0)
547544
goto errout;
@@ -649,9 +646,6 @@ static int inet_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg
649646

650647
ASSERT_RTNL();
651648

652-
if (!capable(CAP_NET_ADMIN))
653-
return -EPERM;
654-
655649
ifa = rtm_to_ifaddr(net, nlh);
656650
if (IS_ERR(ifa))
657651
return PTR_ERR(ifa);

net/ipv4/fib_frontend.c

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -613,9 +613,6 @@ static int inet_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *ar
613613
struct fib_table *tb;
614614
int err;
615615

616-
if (!capable(CAP_NET_ADMIN))
617-
return -EPERM;
618-
619616
err = rtm_to_fib_config(net, skb, nlh, &cfg);
620617
if (err < 0)
621618
goto errout;
@@ -638,9 +635,6 @@ static int inet_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *ar
638635
struct fib_table *tb;
639636
int err;
640637

641-
if (!capable(CAP_NET_ADMIN))
642-
return -EPERM;
643-
644638
err = rtm_to_fib_config(net, skb, nlh, &cfg);
645639
if (err < 0)
646640
goto errout;

net/ipv6/addrconf.c

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3514,9 +3514,6 @@ inet6_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
35143514
struct in6_addr *pfx;
35153515
int err;
35163516

3517-
if (!capable(CAP_NET_ADMIN))
3518-
return -EPERM;
3519-
35203517
err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy);
35213518
if (err < 0)
35223519
return err;
@@ -3587,9 +3584,6 @@ inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
35873584
u8 ifa_flags;
35883585
int err;
35893586

3590-
if (!capable(CAP_NET_ADMIN))
3591-
return -EPERM;
3592-
35933587
err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy);
35943588
if (err < 0)
35953589
return err;

net/ipv6/addrlabel.c

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -425,9 +425,6 @@ static int ip6addrlbl_newdel(struct sk_buff *skb, struct nlmsghdr *nlh,
425425
u32 label;
426426
int err = 0;
427427

428-
if (!capable(CAP_NET_ADMIN))
429-
return -EPERM;
430-
431428
err = nlmsg_parse(nlh, sizeof(*ifal), tb, IFAL_MAX, ifal_policy);
432429
if (err < 0)
433430
return err;

net/ipv6/route.c

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2446,9 +2446,6 @@ static int inet6_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *a
24462446
struct fib6_config cfg;
24472447
int err;
24482448

2449-
if (!capable(CAP_NET_ADMIN))
2450-
return -EPERM;
2451-
24522449
err = rtm_to_fib6_config(skb, nlh, &cfg);
24532450
if (err < 0)
24542451
return err;
@@ -2464,9 +2461,6 @@ static int inet6_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *a
24642461
struct fib6_config cfg;
24652462
int err;
24662463

2467-
if (!capable(CAP_NET_ADMIN))
2468-
return -EPERM;
2469-
24702464
err = rtm_to_fib6_config(skb, nlh, &cfg);
24712465
if (err < 0)
24722466
return err;

0 commit comments

Comments
 (0)