[Devel] [PATCH RH7] ve/net: partially return ms permission check for ethtool commands

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Wed Jan 17 18:37:53 MSK 2018


"!ve_capable(CAP_NET_ADMIN)" does not actually cover some cases which
"!ns_capable(net->user_ns, CAP_NET_ADMIN)" covered, because if net
namespace is from host the latter gives us EPERM if we are from CT, but
the former will allow access for CT root.

The change is fine as:

>From host's security perspective if CT root has permission to do
SIOCETHTOOL, there is no problem if any other CT user has same
permission, if CT root can't exploit host, CT user can't either.

>From CT's security perspective we return mainstream behaviour, so
everything will work as on host.

Fixes commit 2ba8a5be623f ("ve/net: restrict ethtool to CT root userns
and prohibit EEPROM change")

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 net/core/ethtool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 09174ff01df4..d1f40ee14cf2 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -2425,7 +2425,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
 		if (!capable(CAP_NET_ADMIN))
 			return -EPERM;
 	default:
-		if (!ve_capable(CAP_NET_ADMIN))
+		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
 			return -EPERM;
 	}
 
-- 
2.14.3



More information about the Devel mailing list