[Devel] [PATCH RHEL7 COMMIT] ve/net: partially return ms permission check for ethtool commands
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Jan 18 19:21:24 MSK 2018
The commit is pushed to "branch-rh7-3.10.0-693.11.6.vz7.42.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.11.6.vz7.42.1
------>
commit 84f9fd333e792af04d58d4f94bb669c138e88063
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Thu Jan 18 19:21:24 2018 +0300
ve/net: partially return ms permission check for ethtool commands
"!ve_capable(CAP_NET_ADMIN)" does not actually cover some cases which
"!ns_capable(net->user_ns, CAP_NET_ADMIN)" covered, because if net
namespace is from host the latter gives us EPERM if we are from CT, but
the former will allow access for CT root.
The change is fine as:
>From host's security perspective if CT root has permission to do
SIOCETHTOOL, there is no problem if any other CT user has same
permission, if CT root can't exploit host, CT user can't either.
>From CT's security perspective we return mainstream behaviour, so
everything will work as on host.
Fixes commit 2ba8a5be623f ("ve/net: restrict ethtool to CT root userns
and prohibit EEPROM change")
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
net/core/ethtool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 09174ff01df4..d1f40ee14cf2 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -2425,7 +2425,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
if (!capable(CAP_NET_ADMIN))
return -EPERM;
default:
- if (!ve_capable(CAP_NET_ADMIN))
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
}
More information about the Devel
mailing list