[RH7] ve/net: partially return ms permission check for ethtool commands

Submitted by Pavel Tikhomirov on Jan. 17, 2018, 3:37 p.m.


Message ID 20180117153753.24883-1-ptikhomirov@virtuozzo.com
State New
Series "ve/net: partially return ms permission check for ethtool commands"
Headers show

Commit Message

Pavel Tikhomirov Jan. 17, 2018, 3:37 p.m.
"!ve_capable(CAP_NET_ADMIN)" does not actually cover some cases which
"!ns_capable(net->user_ns, CAP_NET_ADMIN)" covered, because if net
namespace is from host the latter gives us EPERM if we are from CT, but
the former will allow access for CT root.

The change is fine as:

From host's security perspective if CT root has permission to do
SIOCETHTOOL, there is no problem if any other CT user has same
permission, if CT root can't exploit host, CT user can't either.

From CT's security perspective we return mainstream behaviour, so
everything will work as on host.

Fixes commit 2ba8a5be623f ("ve/net: restrict ethtool to CT root userns
and prohibit EEPROM change")

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
 net/core/ethtool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 09174ff01df4..d1f40ee14cf2 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -2425,7 +2425,7 @@  int dev_ethtool(struct net *net, struct ifreq *ifr)
 		if (!capable(CAP_NET_ADMIN))
 			return -EPERM;
-		if (!ve_capable(CAP_NET_ADMIN))
+		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
 			return -EPERM;