[RHEL7,COMMIT] ve/net: partially return ms permission check for ethtool commands

Submitted by Konstantin Khorenko on Jan. 18, 2018, 4:21 p.m.

Details

Message ID 201801181621.w0IGLOki028347@finist_ce7.work
State New
Series "ve/net: partially return ms permission check for ethtool commands"
Headers show

Commit Message

Konstantin Khorenko Jan. 18, 2018, 4:21 p.m.
The commit is pushed to "branch-rh7-3.10.0-693.11.6.vz7.42.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.11.6.vz7.42.1
------>
commit 84f9fd333e792af04d58d4f94bb669c138e88063
Author: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Date:   Thu Jan 18 19:21:24 2018 +0300

    ve/net: partially return ms permission check for ethtool commands
    
    "!ve_capable(CAP_NET_ADMIN)" does not actually cover some cases which
    "!ns_capable(net->user_ns, CAP_NET_ADMIN)" covered, because if net
    namespace is from host the latter gives us EPERM if we are from CT, but
    the former will allow access for CT root.
    
    The change is fine as:
    
    >From host's security perspective if CT root has permission to do
    SIOCETHTOOL, there is no problem if any other CT user has same
    permission, if CT root can't exploit host, CT user can't either.
    
    >From CT's security perspective we return mainstream behaviour, so
    everything will work as on host.
    
    Fixes commit 2ba8a5be623f ("ve/net: restrict ethtool to CT root userns
    and prohibit EEPROM change")
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 net/core/ethtool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 09174ff01df4..d1f40ee14cf2 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -2425,7 +2425,7 @@  int dev_ethtool(struct net *net, struct ifreq *ifr)
 		if (!capable(CAP_NET_ADMIN))
 			return -EPERM;
 	default:
-		if (!ve_capable(CAP_NET_ADMIN))
+		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
 			return -EPERM;
 	}