Commit cb990503 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by David S. Miller

net: Allow userns root to control the network bridge code.

Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.

Allow setting bridge paramters via sysfs.

Allow all of the bridge ioctls:
BRCTL_ADD_IF
BRCTL_DEL_IF
BRCTL_SET_BRDIGE_FORWARD_DELAY
BRCTL_SET_BRIDGE_HELLO_TIME
BRCTL_SET_BRIDGE_MAX_AGE
BRCTL_SET_BRIDGE_AGING_TIME
BRCTL_SET_BRIDGE_STP_STATE
BRCTL_SET_BRIDGE_PRIORITY
BRCTL_SET_PORT_PRIORITY
BRCTL_SET_PATH_COST
BRCTL_ADD_BRIDGE
BRCTL_DEL_BRDIGE
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent df008c91
...@@ -85,13 +85,14 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf, ...@@ -85,13 +85,14 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf,
/* called with RTNL */ /* called with RTNL */
static int add_del_if(struct net_bridge *br, int ifindex, int isadd) static int add_del_if(struct net_bridge *br, int ifindex, int isadd)
{ {
struct net *net = dev_net(br->dev);
struct net_device *dev; struct net_device *dev;
int ret; int ret;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
dev = __dev_get_by_index(dev_net(br->dev), ifindex); dev = __dev_get_by_index(net, ifindex);
if (dev == NULL) if (dev == NULL)
return -EINVAL; return -EINVAL;
...@@ -178,25 +179,25 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) ...@@ -178,25 +179,25 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
} }
case BRCTL_SET_BRIDGE_FORWARD_DELAY: case BRCTL_SET_BRIDGE_FORWARD_DELAY:
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
return br_set_forward_delay(br, args[1]); return br_set_forward_delay(br, args[1]);
case BRCTL_SET_BRIDGE_HELLO_TIME: case BRCTL_SET_BRIDGE_HELLO_TIME:
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
return br_set_hello_time(br, args[1]); return br_set_hello_time(br, args[1]);
case BRCTL_SET_BRIDGE_MAX_AGE: case BRCTL_SET_BRIDGE_MAX_AGE:
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
return br_set_max_age(br, args[1]); return br_set_max_age(br, args[1]);
case BRCTL_SET_AGEING_TIME: case BRCTL_SET_AGEING_TIME:
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
br->ageing_time = clock_t_to_jiffies(args[1]); br->ageing_time = clock_t_to_jiffies(args[1]);
...@@ -236,14 +237,14 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) ...@@ -236,14 +237,14 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
} }
case BRCTL_SET_BRIDGE_STP_STATE: case BRCTL_SET_BRIDGE_STP_STATE:
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
br_stp_set_enabled(br, args[1]); br_stp_set_enabled(br, args[1]);
return 0; return 0;
case BRCTL_SET_BRIDGE_PRIORITY: case BRCTL_SET_BRIDGE_PRIORITY:
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
spin_lock_bh(&br->lock); spin_lock_bh(&br->lock);
...@@ -256,7 +257,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) ...@@ -256,7 +257,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
struct net_bridge_port *p; struct net_bridge_port *p;
int ret; int ret;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
spin_lock_bh(&br->lock); spin_lock_bh(&br->lock);
...@@ -273,7 +274,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) ...@@ -273,7 +274,7 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
struct net_bridge_port *p; struct net_bridge_port *p;
int ret; int ret;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
spin_lock_bh(&br->lock); spin_lock_bh(&br->lock);
...@@ -330,7 +331,7 @@ static int old_deviceless(struct net *net, void __user *uarg) ...@@ -330,7 +331,7 @@ static int old_deviceless(struct net *net, void __user *uarg)
{ {
char buf[IFNAMSIZ]; char buf[IFNAMSIZ];
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
if (copy_from_user(buf, (void __user *)args[1], IFNAMSIZ)) if (copy_from_user(buf, (void __user *)args[1], IFNAMSIZ))
...@@ -360,7 +361,7 @@ int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *uar ...@@ -360,7 +361,7 @@ int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *uar
{ {
char buf[IFNAMSIZ]; char buf[IFNAMSIZ];
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
if (copy_from_user(buf, uarg, IFNAMSIZ)) if (copy_from_user(buf, uarg, IFNAMSIZ))
......
...@@ -37,7 +37,7 @@ static ssize_t store_bridge_parm(struct device *d, ...@@ -37,7 +37,7 @@ static ssize_t store_bridge_parm(struct device *d,
unsigned long val; unsigned long val;
int err; int err;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
val = simple_strtoul(buf, &endp, 0); val = simple_strtoul(buf, &endp, 0);
...@@ -133,7 +133,7 @@ static ssize_t store_stp_state(struct device *d, ...@@ -133,7 +133,7 @@ static ssize_t store_stp_state(struct device *d,
char *endp; char *endp;
unsigned long val; unsigned long val;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
val = simple_strtoul(buf, &endp, 0); val = simple_strtoul(buf, &endp, 0);
...@@ -166,7 +166,7 @@ static ssize_t store_group_fwd_mask(struct device *d, ...@@ -166,7 +166,7 @@ static ssize_t store_group_fwd_mask(struct device *d,
char *endp; char *endp;
unsigned long val; unsigned long val;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
val = simple_strtoul(buf, &endp, 0); val = simple_strtoul(buf, &endp, 0);
...@@ -301,7 +301,7 @@ static ssize_t store_group_addr(struct device *d, ...@@ -301,7 +301,7 @@ static ssize_t store_group_addr(struct device *d,
u8 new_addr[6]; u8 new_addr[6];
int i; int i;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
if (sscanf(buf, "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx", if (sscanf(buf, "%hhx:%hhx:%hhx:%hhx:%hhx:%hhx",
...@@ -333,7 +333,7 @@ static ssize_t store_flush(struct device *d, ...@@ -333,7 +333,7 @@ static ssize_t store_flush(struct device *d,
{ {
struct net_bridge *br = to_bridge(d); struct net_bridge *br = to_bridge(d);
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(br->dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
br_fdb_flush(br); br_fdb_flush(br);
......
...@@ -221,7 +221,7 @@ static ssize_t brport_store(struct kobject * kobj, ...@@ -221,7 +221,7 @@ static ssize_t brport_store(struct kobject * kobj,
char *endp; char *endp;
unsigned long val; unsigned long val;
if (!capable(CAP_NET_ADMIN)) if (!ns_capable(dev_net(p->dev)->user_ns, CAP_NET_ADMIN))
return -EPERM; return -EPERM;
val = simple_strtoul(buf, &endp, 0); val = simple_strtoul(buf, &endp, 0);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment