[Devel] [PATCH RHEL7 COMMIT] ms/crypto: user - Allow CRYPTO_MSG_GETALG without CAP_NET_ADMIN

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jun 15 20:05:42 MSK 2023 

The commit is pushed to "branch-rh7-3.10.0-1160.90.1.vz7.200.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.90.1.vz7.200.1
------>
commit 7ead7aeed4643f7dbd3b28af5892c088a111b4ac
Author: Matthias-Christian Ott <ott at mirix.org>
Date:   Thu May 8 21:58:12 2014 +0800

    ms/crypto: user - Allow CRYPTO_MSG_GETALG without CAP_NET_ADMIN
    
    CRYPTO_USER requires CAP_NET_ADMIN for all operations. Most information
    provided by CRYPTO_MSG_GETALG is also accessible through /proc/modules
    and AF_ALG. CRYPTO_MSG_GETALG should not require CAP_NET_ADMIN so that
    processes without CAP_NET_ADMIN can use CRYPTO_MSG_GETALG to get cipher
    details, such as cipher priorities, for AF_ALG.
    
    Signed-off-by: Matthias-Christian Ott <ott at mirix.org>
    Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
    
    https://jira.vzint.dev/browse/PSBM-147375
    
    (cherry picked from ms commit c568398aa05f852592d0e2b1dc893e6c5c14971c)
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 crypto/crypto_user.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
index e14b4fb69af4..1591d052db3f 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -330,6 +330,9 @@ static int crypto_update_alg(struct sk_buff *skb, struct nlmsghdr *nlh,
 	struct nlattr *priority = attrs[CRYPTOCFGA_PRIORITY_VAL];
 	LIST_HEAD(list);
 
+	if (!netlink_capable(skb, CAP_NET_ADMIN))
+		return -EPERM;
+
 	if (!null_terminated(p->cru_name) || !null_terminated(p->cru_driver_name))
 		return -EINVAL;
 
@@ -360,6 +363,9 @@ static int crypto_del_alg(struct sk_buff *skb, struct nlmsghdr *nlh,
 	struct crypto_alg *alg;
 	struct crypto_user_alg *p = nlmsg_data(nlh);
 
+	if (!netlink_capable(skb, CAP_NET_ADMIN))
+		return -EPERM;
+
 	if (!null_terminated(p->cru_name) || !null_terminated(p->cru_driver_name))
 		return -EINVAL;
 
@@ -444,6 +450,9 @@ static int crypto_add_alg(struct sk_buff *skb, struct nlmsghdr *nlh,
 	struct crypto_user_alg *p = nlmsg_data(nlh);
 	struct nlattr *priority = attrs[CRYPTOCFGA_PRIORITY_VAL];
 
+	if (!netlink_capable(skb, CAP_NET_ADMIN))
+		return -EPERM;
+
 	if (!null_terminated(p->cru_name) || !null_terminated(p->cru_driver_name))
 		return -EINVAL;
 
@@ -532,9 +541,6 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	type -= CRYPTO_MSG_BASE;
 	link = &crypto_dispatch[type];
 
-	if (!netlink_capable(skb, CAP_NET_ADMIN))
-		return -EPERM;
-
 	if ((type == (CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE) &&
 	    (nlh->nlmsg_flags & NLM_F_DUMP))) {
 		struct crypto_alg *alg;

More information about the Devel mailing list