From nobody Fri Apr 10 14:17:47 2026 Delivered-To: wpasupplicant.patchew@gmail.com Received: by 2002:ab0:32da:0:0:0:0:0 with SMTP id f26csp1632736uao; Tue, 6 Sep 2022 13:56:59 -0700 (PDT) X-Google-Smtp-Source: AA6agR6ozJimmU652GuGL4Im4p1u6cowAlKJtijulvxV5w0D5lsBTZAiDoO/d2PQH5dte73FOwS9 X-Received: by 2002:a63:dd51:0:b0:430:18d9:edf8 with SMTP id g17-20020a63dd51000000b0043018d9edf8mr413610pgj.163.1662497819577; Tue, 06 Sep 2022 13:56:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662497819; cv=none; d=google.com; s=arc-20160816; b=GN+5jt8btW41i2+Y3lZlYaRRzlqTKmCFTOCycwwpgtpUoheS+LL09D4AbytnAzyyag S4FSDtjAmrcW351R2X4GK7EY4B84fb2fVg3wrhO7I5z+7Vx9WSbYR8QN0qI/o2eyHz4B 3E3RkilZvZJ6+WP77vYaQNT+u2RKqDGJZPlvIovX3kxFULrcZClZl4gmxfvlqKmgIqq2 2NbicoZwU6msDiGuAnOB7XAslTW9oxOZdfzobcClq8Y2hpUwUd/K7xYhjGc24qfsd+s+ FfOkRc0guSurzr6/giCy21Gusog2zR69KhHG/y+RiIuzEL5B1okG/XZA1iaBJwmu4PaS 3Dmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=PRqsWYZZH0s3GHQzsnOmHr+CxH/u15ul/CIYu9EYojs=; b=rpGMcCG9M/jPiociSTPcl5xdEj5H1lEJeHgEcaUlXhLf0lMsjPnHlp4f4hLROGPmG7 XxjzjRjladj2TqndaRfweERYwYzeqBsoUyimftvgtQ0SjWoFb8Nrx1Xo2CqiiF/7kQuv P7NmDFARZlmBGxldDimds5yWtZMG9YxYFBsgCsWvIWSkrzBOBDmEdtO+XEnwUBLjvVC6 xSd5VX2ituZCT9dlFXTdCyjNmI3Qv8IX6rb97FVNd0LqqBLOkuxuH/iOTDSgsH6iPryR mWJVEG9i5bEFMDjxDFx2vojOZJfDwmcwOmxerOjKU1kHBcJlYQ5QB6HWt/QU2S2+FPJ9 JCwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tessares.net header.s=google header.b=Vc9QaQE8; spf=pass (google.com: domain of mptcp+bounces-6203-wpasupplicant.patchew=gmail.com@lists.linux.dev designates 139.178.88.99 as permitted sender) smtp.mailfrom="mptcp+bounces-6203-wpasupplicant.patchew=gmail.com@lists.linux.dev" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id pm17-20020a17090b3c5100b002004aaf69c1si7529367pjb.73.2022.09.06.13.56.59 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Sep 2022 13:56:59 -0700 (PDT) Received-SPF: pass (google.com: domain of mptcp+bounces-6203-wpasupplicant.patchew=gmail.com@lists.linux.dev designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@tessares.net header.s=google header.b=Vc9QaQE8; spf=pass (google.com: domain of mptcp+bounces-6203-wpasupplicant.patchew=gmail.com@lists.linux.dev designates 139.178.88.99 as permitted sender) smtp.mailfrom="mptcp+bounces-6203-wpasupplicant.patchew=gmail.com@lists.linux.dev" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id C96D1280C50 for ; Tue, 6 Sep 2022 20:56:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D57E386EB; Tue, 6 Sep 2022 20:56:57 +0000 (UTC) X-Original-To: mptcp@lists.linux.dev Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FDA529A5 for ; Tue, 6 Sep 2022 20:56:52 +0000 (UTC) Received: by mail-wr1-f49.google.com with SMTP id t7so12224168wrm.10 for ; Tue, 06 Sep 2022 13:56:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares.net; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date; bh=PRqsWYZZH0s3GHQzsnOmHr+CxH/u15ul/CIYu9EYojs=; b=Vc9QaQE8ZfUf7ItbFMvQYVkMnX0f6ekQuvgXGvdF+seJxFAmGhZU4/sZzM4XxEMjKp Bw4VDC2zn+lHjwmmG+ga0OBUM9JHJjbAyQB7SRIgwBk4bFfGlXBe+AQwr0m2ooiMB1E6 g0cjqP/MqzHpMFPaGU3LVjHNXSUv8yvec13xLxDaL4Ovjt8BeNHEQDmJoonssHWgvx/X PB4zHTc8Scb4UxDj9J0GCFqWPzYUCnllyPh1nxFrqwEA0J5vIX6zHkudspLS2HrA8us/ fBZ7/Fno7MCwVrTyw0FSjccMQ+pSLZ9FfgMhHHnDfRVLwSZ6O4lKKGPPFkGRrUXvP93B MuyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date; bh=PRqsWYZZH0s3GHQzsnOmHr+CxH/u15ul/CIYu9EYojs=; b=ybixGrcIgX4PRARPr0I7RhudOOvGL1oWYRJkYztYCdwZPGNrW1d9MsHWsDc0bgVzLQ ge8U9Cc8zPG9B57NwJMtDbJPhRfecrPuIY1RN7irnCdjKTfXpIiZlJaFCYYVuSKjcU9K gvaKJ8gyJN4kodQsFqs9Y9T9MgStSa8G/PSOXQLa7zH7mv1sHtd7r1sRZoUP9EZCqXWf tvB1is4j/1pwySIlZmyx6K4AT1x4FQgh7lRec1lAflc76TQ79Q1aQ1jFUp3gMWempMSY fdLet0x16bVUuO7pV7ibEBC9OjD3DbbBNdmutlqC3YIfV/E9Xn/Wj2GVLKGe8pM3USgY GamA== X-Gm-Message-State: ACgBeo0iLi9Wo6AAa6iqaqeA3p8QBsWcE8xyoM/LJzZC1vj1CwuYJTHn bE1LXkuN+M4kMrQHHDIH6NTsBZfQRRqklqvQ X-Received: by 2002:adf:fb10:0:b0:228:9072:72e1 with SMTP id c16-20020adffb10000000b00228907272e1mr150723wrr.459.1662497810733; Tue, 06 Sep 2022 13:56:50 -0700 (PDT) Received: from vdi08.nix.tessares.net (static.219.156.76.144.clients.your-server.de. [144.76.156.219]) by smtp.gmail.com with ESMTPSA id n24-20020a1c7218000000b003a317ee3036sm15735887wmc.2.2022.09.06.13.56.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Sep 2022 13:56:48 -0700 (PDT) From: Matthieu Baerts To: Mat Martineau , Matthieu Baerts , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Thomas Haller , netdev@vger.kernel.org, mptcp@lists.linux.dev, linux-kernel@vger.kernel.org Subject: [PATCH net-next 4/5] mptcp: allow privileged operations from user namespaces Date: Tue, 6 Sep 2022 22:55:42 +0200 Message-Id: <20220906205545.1623193-5-matthieu.baerts@tessares.net> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220906205545.1623193-1-matthieu.baerts@tessares.net> References: <20220906205545.1623193-1-matthieu.baerts@tessares.net> Precedence: bulk X-Mailing-List: mptcp@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2701; i=matthieu.baerts@tessares.net; h=from:subject; bh=3W6+TJOTAo68xHMXohFmObHMW6ruenZqCo5JEcs+SRE=; b=owEBbQKS/ZANAwAIAfa3gk9CaaBzAcsmYgBjF7O5PKfhLXp46IKTuhbxFJRXEMBLqpmcSLP2ZsMV idUjSFuJAjMEAAEIAB0WIQToy4X3aHcFem4n93r2t4JPQmmgcwUCYxezuQAKCRD2t4JPQmmgc+q3D/ 9tWNzntGdWV3cJtFlqYZ74eleNBcqTmo/FFcgACrAoZRGXRSMygfyVd7RcWw6pxTrlCqCLxwTQcn7I K7eq5EmHyB0CIYg8ZMiEFR8s3joxLddN3xLmRELV3Sob8pAKc0lRF/FEGkHz0pMGb3cIzaLTezAXas pJkx0ufs0rPG6T2oZ0oxWuohbp26Hrd2EjWTdDb/gpwnhJT9aLhD6OmhwpVEKAiN6OJ+faxMRyoooG 6lM1nifQobB0aO+3ZOLU/DmhZzVtx1d/Vn/i+EO5jBuk9TmLFHo5UVG0V61wGjKbXrqE1V88Lj8Z0k 5RzVJcD8ekYq2EKBJm5MhIifxIudDkDFV62mgYfSg9v8Qlv2fBEr1HnQUIEhyr7E2ryYt+0sIpSazD sJfzTXXqEEaPXRZTV5dvCsoO4uw0GfIiNaDybuqTWUApeKdb/xNGJOkZp+Ta9WDq2Wcnwl454wEME2 /q/x78qdSX3RPmKuDKcEr5VnZGwDd8qraCNbysp1c2N2+G0E7FvHBYqmaM4koDoR7d6SrLqmGxyXc3 nz0537mhcNanyF0YOZdZot8GxiW9gh1SWld8y53nL2Iv/kYulTzM5VHX9Oju3ObpCJfn+CczCzYWB9 5NYFg2Zzc4rhc5PtgXHmAhFQycp4WyOiFYiWsvG/HnIi77b/qUzRwuI+kEjA== X-Developer-Key: i=matthieu.baerts@tessares.net; a=openpgp; fpr=E8CB85F76877057A6E27F77AF6B7824F4269A073 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Thomas Haller GENL_ADMIN_PERM checks that the user has CAP_NET_ADMIN in the initial namespace by calling netlink_capable(). Instead, use GENL_UNS_ADMIN_PERM which uses netlink_ns_capable(). This checks that the caller has CAP_NET_ADMIN in the current user namespace. See also commit 4a92602aa1cd ("openvswitch: allow management from inside user name= spaces") which introduced this mechanism. See also commit 5617c6cd6f84 ("nl80211: Allow privileged operations from user name= spaces") which introduced this for nl80211. Signed-off-by: Thomas Haller Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts --- net/mptcp/pm_netlink.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 5e142c0c597a..afc98adf2746 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -2218,17 +2218,17 @@ static const struct genl_small_ops mptcp_pm_ops[] = =3D { { .cmd =3D MPTCP_PM_CMD_ADD_ADDR, .doit =3D mptcp_nl_cmd_add_addr, - .flags =3D GENL_ADMIN_PERM, + .flags =3D GENL_UNS_ADMIN_PERM, }, { .cmd =3D MPTCP_PM_CMD_DEL_ADDR, .doit =3D mptcp_nl_cmd_del_addr, - .flags =3D GENL_ADMIN_PERM, + .flags =3D GENL_UNS_ADMIN_PERM, }, { .cmd =3D MPTCP_PM_CMD_FLUSH_ADDRS, .doit =3D mptcp_nl_cmd_flush_addrs, - .flags =3D GENL_ADMIN_PERM, + .flags =3D GENL_UNS_ADMIN_PERM, }, { .cmd =3D MPTCP_PM_CMD_GET_ADDR, @@ -2238,7 +2238,7 @@ static const struct genl_small_ops mptcp_pm_ops[] =3D= { { .cmd =3D MPTCP_PM_CMD_SET_LIMITS, .doit =3D mptcp_nl_cmd_set_limits, - .flags =3D GENL_ADMIN_PERM, + .flags =3D GENL_UNS_ADMIN_PERM, }, { .cmd =3D MPTCP_PM_CMD_GET_LIMITS, @@ -2247,27 +2247,27 @@ static const struct genl_small_ops mptcp_pm_ops[] = =3D { { .cmd =3D MPTCP_PM_CMD_SET_FLAGS, .doit =3D mptcp_nl_cmd_set_flags, - .flags =3D GENL_ADMIN_PERM, + .flags =3D GENL_UNS_ADMIN_PERM, }, { .cmd =3D MPTCP_PM_CMD_ANNOUNCE, .doit =3D mptcp_nl_cmd_announce, - .flags =3D GENL_ADMIN_PERM, + .flags =3D GENL_UNS_ADMIN_PERM, }, { .cmd =3D MPTCP_PM_CMD_REMOVE, .doit =3D mptcp_nl_cmd_remove, - .flags =3D GENL_ADMIN_PERM, + .flags =3D GENL_UNS_ADMIN_PERM, }, { .cmd =3D MPTCP_PM_CMD_SUBFLOW_CREATE, .doit =3D mptcp_nl_cmd_sf_create, - .flags =3D GENL_ADMIN_PERM, + .flags =3D GENL_UNS_ADMIN_PERM, }, { .cmd =3D MPTCP_PM_CMD_SUBFLOW_DESTROY, .doit =3D mptcp_nl_cmd_sf_destroy, - .flags =3D GENL_ADMIN_PERM, + .flags =3D GENL_UNS_ADMIN_PERM, }, }; =20 --=20 2.37.2