Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit af31f412 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by David S. Miller
Browse files

net: Allow userns root to control ipv6 



Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.

Settings that merely control a single network device are allowed.
Either the network device is a logical network device where
restrictions make no difference or the network device is hardware NIC
that has been explicity moved from the initial network namespace.

In general policy and network stack state changes are allowed while
resource control is left unchanged.

Allow the SIOCSIFADDR ioctl to add ipv6 addresses.
Allow the SIOCDIFADDR ioctl to delete ipv6 addresses.
Allow the SIOCADDRT ioctl to add ipv6 routes.
Allow the SIOCDELRT ioctl to delete ipv6 routes.

Allow creation of ipv6 raw sockets.

Allow setting the IPV6_JOIN_ANYCAST socket option.
Allow setting the IPV6_FL_A_RENEW parameter of the IPV6_FLOWLABEL_MGR
socket option.

Allow setting the IPV6_TRANSPARENT socket option.
Allow setting the IPV6_HOPOPTS socket option.
Allow setting the IPV6_RTHDRDSTOPTS socket option.
Allow setting the IPV6_DSTOPTS socket option.
Allow setting the IPV6_IPSEC_POLICY socket option.
Allow setting the IPV6_XFRM_POLICY socket option.

Allow sending packets with the IPV6_2292HOPOPTS control message.
Allow sending packets with the IPV6_2292DSTOPTS control message.
Allow sending packets with the IPV6_RTHDRDSTOPTS control message.

Allow setting the multicast routing socket options on non multicast
routing sockets.

Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, and SIOCDELTUNNEL ioctls for
setting up, changing and deleting tunnels over ipv6.

Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, SIOCDELTUNNEL ioctls for
setting up, changing and deleting ipv6 over ipv4 tunnels.

Allow the SIOCADDPRL, SIOCDELPRL, SIOCCHGPRL ioctls for adding,
deleting, and changing the potential router list for ISATAP tunnels.

Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 52e804c6

net/ipv6/addrconf.c

+2 −2
Original line number Diff line number Diff line
@@ -2413,7 +2413,7 @@ int addrconf_add_ifaddr(struct net *net, void __user *arg) 
	struct in6_ifreq ireq;

	int err;



	if (!capable(CAP_NET_ADMIN))

	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))

		return -EPERM;



	if (copy_from_user(&ireq, arg, sizeof(struct in6_ifreq)))
@@ -2432,7 +2432,7 @@ int addrconf_del_ifaddr(struct net *net, void __user *arg) 
	struct in6_ifreq ireq;

	int err;



	if (!capable(CAP_NET_ADMIN))

	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))

		return -EPERM;



	if (copy_from_user(&ireq, arg, sizeof(struct in6_ifreq)))

net/ipv6/af_inet6.c

+2 −1
Original line number Diff line number Diff line
@@ -160,7 +160,8 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, 
	}



	err = -EPERM;

	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))

	if (sock->type == SOCK_RAW && !kern &&

	    !ns_capable(net->user_ns, CAP_NET_RAW))

		goto out_rcu_unlock;



	sock->ops = answer->ops;

net/ipv6/anycast.c

+1 −1
Original line number Diff line number Diff line
@@ -64,7 +64,7 @@ int ipv6_sock_ac_join(struct sock *sk, int ifindex, const struct in6_addr *addr) 
	int	ishost = !net->ipv6.devconf_all->forwarding;

	int	err = 0;



	if (!capable(CAP_NET_ADMIN))

	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))

		return -EPERM;

	if (ipv6_addr_is_multicast(addr))

		return -EINVAL;

net/ipv6/datagram.c

+3 −3
Original line number Diff line number Diff line
@@ -701,7 +701,7 @@ int datagram_send_ctl(struct net *net, struct sock *sk, 
				err = -EINVAL;

				goto exit_f;

			}

			if (!capable(CAP_NET_RAW)) {

			if (!ns_capable(net->user_ns, CAP_NET_RAW)) {

				err = -EPERM;

				goto exit_f;

			}
@@ -721,7 +721,7 @@ int datagram_send_ctl(struct net *net, struct sock *sk, 
				err = -EINVAL;

				goto exit_f;

			}

			if (!capable(CAP_NET_RAW)) {

			if (!ns_capable(net->user_ns, CAP_NET_RAW)) {

				err = -EPERM;

				goto exit_f;

			}
@@ -746,7 +746,7 @@ int datagram_send_ctl(struct net *net, struct sock *sk, 
				err = -EINVAL;

				goto exit_f;

			}

			if (!capable(CAP_NET_RAW)) {

			if (!ns_capable(net->user_ns, CAP_NET_RAW)) {

				err = -EPERM;

				goto exit_f;

			}

net/ipv6/ip6_flowlabel.c

+2 −1
Original line number Diff line number Diff line
@@ -519,7 +519,8 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen) 
		}

		read_unlock_bh(&ip6_sk_fl_lock);



		if (freq.flr_share == IPV6_FL_S_NONE && capable(CAP_NET_ADMIN)) {

		if (freq.flr_share == IPV6_FL_S_NONE &&

		    ns_capable(net->user_ns, CAP_NET_ADMIN)) {

			fl = fl_lookup(net, freq.flr_label);

			if (fl) {

				err = fl6_renew(fl, freq.flr_linger, freq.flr_expires);