Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp263789img; Mon, 18 Mar 2019 02:34:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqwh7kMPMM5n28KhnSuAf1hcusL+xHB3TEFaVKogwpLvd5ufGT7PxQv+lnMARWVLZdEWnbWo X-Received: by 2002:a63:2bcd:: with SMTP id r196mr16416763pgr.355.1552901674502; Mon, 18 Mar 2019 02:34:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552901674; cv=none; d=google.com; s=arc-20160816; b=as5g/ZADdJi5cG1lRcCgPgfEQx64v/FooSyJAm/OirgVqn3iA7lGi/JsQNce4HHUkc 88i+2itVuT+2onM9es8aUVTWvLSyXR6UDYnLzl3crroUd8urt97V+NGOgVxb+M0UU0al 6XW8VcsgD3brLTnArjy4BsjcZsgkPB2kX5EiWR5WARO6uMU4L9Z+bMnariNYr3miMXU8 K7efbPVpcltKll9K+OcarqK34WV8nBmmW/6e3Lw98EF8slWIpIAhv5Q3TkcK4Ww4m3nr jvtSfmWodL2ahEm9euAQhR4YxWtZUOBkMsRNw9yz3srhlihdRouCvYRiU2qT3EXd10av qrng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=yC0CubInI3GFWigHXqGwKEG0xBVUY8NJpdFLkekSim8=; b=D68BJUIktG9hiwIUtDV8x8UCsb06hPzgA2f+yINxWabrGYtenZ7GWWhqxS5aO7GPyo 8I8txKZfVrKMqS53ASNAi8kZVu0la5w7SaGvCIv2SwdhBVStKsiEVb1kCe9Z4l03af/S kzluXC1Vaq0k9ZMXj7E8DCld+muIlgo7/9WWa2iWxZiRG4Kv3e+GKiAEzLKp7FRFSBkK CjAtivP0Kd9pne3dCKDnwgF6Hg99Q4gIznIHUmhqPJ49/V36qkLwS/S53TCIYF9Bn/Jt kk8i3YOygNMLKM9J6gSgI+pMtqmU79kUwTomNDluMgMEykY36AwPsplcA31sxP7P4gMO fBHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=GYaW438E; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m24si9127969pls.211.2019.03.18.02.34.18; Mon, 18 Mar 2019 02:34:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=GYaW438E; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727816AbfCRJcr (ORCPT + 99 others); Mon, 18 Mar 2019 05:32:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:40748 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728758AbfCRJcn (ORCPT ); Mon, 18 Mar 2019 05:32:43 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BD18C2083D; Mon, 18 Mar 2019 09:32:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552901561; bh=tHeQZ9hPr4nNO44aEWxX9UebFMw5LkfJW3KoiolRq/M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GYaW438ErwNw4mqjqp2oXlbfqE+bLP52fo02orcBNN6odVg1e3f9QpT0Mz9CUFt8m xVJ4UumVBHxHqN5eWXBJLvZaQpsdRO/RVerv7LNXyfzLZD8CLeryBrshadVViCeBFA udIcMM+g/Hi/yXJONj+Q03E5Wma9IkZeu8mnJEk8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Borkmann , Mahesh Bandewar , "David S. Miller" Subject: [PATCH 4.19 30/52] ipvlan: disallow userns cap_net_admin to change global mode/flags Date: Mon, 18 Mar 2019 10:25:27 +0100 Message-Id: <20190318084017.097236223@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190318084013.532280682@linuxfoundation.org> References: <20190318084013.532280682@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Daniel Borkmann [ Upstream commit 7cc9f7003a969d359f608ebb701d42cafe75b84a ] When running Docker with userns isolation e.g. --userns-remap="default" and spawning up some containers with CAP_NET_ADMIN under this realm, I noticed that link changes on ipvlan slave device inside that container can affect all devices from this ipvlan group which are in other net namespaces where the container should have no permission to make changes to, such as the init netns, for example. This effectively allows to undo ipvlan private mode and switch globally to bridge mode where slaves can communicate directly without going through hostns, or it allows to switch between global operation mode (l2/l3/l3s) for everyone bound to the given ipvlan master device. libnetwork plugin here is creating an ipvlan master and ipvlan slave in hostns and a slave each that is moved into the container's netns upon creation event. * In hostns: # ip -d a [...] 8: cilium_host@bond0: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 0c:c4:7a:e1:3d:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 ipvlan mode l3 bridge numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet 10.41.0.1/32 scope link cilium_host valid_lft forever preferred_lft forever [...] * Spawn container & change ipvlan mode setting inside of it: # docker run -dt --cap-add=NET_ADMIN --network cilium-net --name client -l app=test cilium/netperf 9fff485d69dcb5ce37c9e33ca20a11ccafc236d690105aadbfb77e4f4170879c # docker exec -ti client ip -d a [...] 10: cilium0@if4: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 0c:c4:7a:e1:3d:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 ipvlan mode l3 bridge numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet 10.41.197.43/32 brd 10.41.197.43 scope global cilium0 valid_lft forever preferred_lft forever # docker exec -ti client ip link change link cilium0 name cilium0 type ipvlan mode l2 # docker exec -ti client ip -d a [...] 10: cilium0@if4: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 0c:c4:7a:e1:3d:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 ipvlan mode l2 bridge numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet 10.41.197.43/32 brd 10.41.197.43 scope global cilium0 valid_lft forever preferred_lft forever * In hostns (mode switched to l2): # ip -d a [...] 8: cilium_host@bond0: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 0c:c4:7a:e1:3d:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 ipvlan mode l2 bridge numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet 10.41.0.1/32 scope link cilium_host valid_lft forever preferred_lft forever [...] Same l3 -> l2 switch would also happen by creating another slave inside the container's network namespace when specifying the existing cilium0 link to derive the actual (bond0) master: # docker exec -ti client ip link add link cilium0 name cilium1 type ipvlan mode l2 # docker exec -ti client ip -d a [...] 2: cilium1@if4: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 0c:c4:7a:e1:3d:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 ipvlan mode l2 bridge numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 10: cilium0@if4: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 0c:c4:7a:e1:3d:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 ipvlan mode l2 bridge numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet 10.41.197.43/32 brd 10.41.197.43 scope global cilium0 valid_lft forever preferred_lft forever * In hostns: # ip -d a [...] 8: cilium_host@bond0: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 0c:c4:7a:e1:3d:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 ipvlan mode l2 bridge numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 inet 10.41.0.1/32 scope link cilium_host valid_lft forever preferred_lft forever [...] One way to mitigate it is to check CAP_NET_ADMIN permissions of the ipvlan master device's ns, and only then allow to change mode or flags for all devices bound to it. Above two cases are then disallowed after the patch. Signed-off-by: Daniel Borkmann Acked-by: Mahesh Bandewar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/ipvlan/ipvlan_main.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/net/ipvlan/ipvlan_main.c +++ b/drivers/net/ipvlan/ipvlan_main.c @@ -494,6 +494,8 @@ static int ipvlan_nl_changelink(struct n if (!data) return 0; + if (!ns_capable(dev_net(ipvlan->phy_dev)->user_ns, CAP_NET_ADMIN)) + return -EPERM; if (data[IFLA_IPVLAN_MODE]) { u16 nmode = nla_get_u16(data[IFLA_IPVLAN_MODE]); @@ -596,6 +598,8 @@ int ipvlan_link_new(struct net *src_net, struct ipvl_dev *tmp = netdev_priv(phy_dev); phy_dev = tmp->phy_dev; + if (!ns_capable(dev_net(phy_dev)->user_ns, CAP_NET_ADMIN)) + return -EPERM; } else if (!netif_is_ipvlan_port(phy_dev)) { /* Exit early if the underlying link is invalid or busy */ if (phy_dev->type != ARPHRD_ETHER ||