[Devel] [PATCH RH7] ve/net: partially return ms permission check for ethtool commands

[Pavel Tikhomirov]

"!ve_capable(CAP_NET_ADMIN)" does not actually cover some cases which
"!ns_capable(net->user_ns, CAP_NET_ADMIN)" covered, because if net
namespace is from host the latter gives us EPERM if we are from CT, but
the former will allow access for CT root.

The change is fine as:

>From host's security perspective if CT root has permission to do
SIOCETHTOOL, there is no problem if any other CT user has same
permission, if CT root can't exploit host, CT user can't either.

>From CT's security perspective we return mainstream behaviour, so
everything will work as on host.

Fixes commit 2ba8a5be623f ("ve/net: restrict ethtool to CT root userns
and prohibit EEPROM change")

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 net/core/ethtool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 09174ff01df4..d1f40ee14cf2 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -2425,7 +2425,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
 		if (!capable(CAP_NET_ADMIN))
 			return -EPERM;
 	default:
-		if (!ve_capable(CAP_NET_ADMIN))
+		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
 			return -EPERM;
 	}
 
-- 
2.14.3