Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp462895yba; Wed, 15 May 2019 04:33:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqwvJdciqg5z5dHFtsDQNOf7xEQ5rP6DK6UCCjvUnpTaBtMY+hPvm220psgO1l7izSaL2oQH X-Received: by 2002:a63:903:: with SMTP id 3mr31342772pgj.400.1557919987765; Wed, 15 May 2019 04:33:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557919987; cv=none; d=google.com; s=arc-20160816; b=u8I0MXyL+yuLc0brHVFv0rBFR+jUIKTT3Zb6g2+BlESvKzeyOcodCAufeFGW8Geb4h yTGDi1EzcydsPvQEwgXjJPall8KZ7DxjUkgpLSNF5l73vtQWAYYgx+nGd11XslhvAsIc aYzbTom7/pK9INzPvDXzHPg5VNIIzpY6x0Rs/WNjefWHhJRk427zDm0HINV27c56R9ha CimNO/Il3HT8HfjHS+jSQad7H2A6MajqZ/6EUnwriQAqm5lfpgXRbrYq/PPgveImKNwC 0onprxWRu0LRluJwhNtm5JBAvfbqM5xrmVEDy8gLv8mBKTQwxiuSiMkZVx0EafuAaknP Jigg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sRn8bUuWIya4EUlOrRQsH8h1uHnhQe71lPEDEyQH0Xw=; b=n2mx78vd2LRhtN2qk326FEIUFqGj2Xu5nC9HCmJ8j7IFDsM00zp+adhV7Ftl8IicII wpG8pqNGE/HPzgKq0Vu7gsfASSq9jkGqHGz8tkkSUSspx5a4uMtpb+xItoTW0deHIAeG 2+5IrJaypjMxDKqF9gKJ+mmVtLCZnvEcbxFa7ghLiDr6FKc46KLCAtYD6HRQI6Ty2Se7 tObTXwNERXk6K0s0i3pgEmzXPG7dAi1epQkLgu6TZHcUWe8SBkZmWwA596p1Eg++loIi ER6GP8gi8VXQwIWt7bZbDjlXjYd68fUFUXQVyrYVYLEaCiA4V2XayocGsCbGBK+BNqQ6 H6ZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=o1NQCWIu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e23si1624731pgl.293.2019.05.15.04.32.52; Wed, 15 May 2019 04:33:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=o1NQCWIu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732821AbfEOLa7 (ORCPT + 99 others); Wed, 15 May 2019 07:30:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:42602 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731950AbfEOLa6 (ORCPT ); Wed, 15 May 2019 07:30:58 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 282512084A; Wed, 15 May 2019 11:30:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557919857; bh=HsE/PVs5oxByEtR7DJrXCuySZSGpF0FiEXOJmXGVDlg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o1NQCWIu5yImW8fWgvjrcENCMTzmH4jk9sr3bcxn8oxMqqz84Krpy7EwB0X6Q573t pH5PFZneCtDy5czHcrTNAzMfFc09l8djkej+M2eq8o5K7seIScKOFrl0IiDn+PDkJC oGVZs2vhjv+lqI8S6JPcwBHYhxlDc9JVyeFJknxo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hangbin Liu , Richard Cochran , "David S. Miller" Subject: [PATCH 5.0 118/137] vlan: disable SIOCSHWTSTAMP in container Date: Wed, 15 May 2019 12:56:39 +0200 Message-Id: <20190515090702.233519669@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090651.633556783@linuxfoundation.org> References: <20190515090651.633556783@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hangbin Liu [ Upstream commit 873017af778439f2f8e3d87f28ddb1fcaf244a76 ] With NET_ADMIN enabled in container, a normal user could be mapped to root and is able to change the real device's rx filter via ioctl on vlan, which would affect the other ptp process on host. Fix it by disabling SIOCSHWTSTAMP in container. Fixes: a6111d3c93d0 ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device") Signed-off-by: Hangbin Liu Acked-by: Richard Cochran Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/8021q/vlan_dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/8021q/vlan_dev.c +++ b/net/8021q/vlan_dev.c @@ -368,10 +368,12 @@ static int vlan_dev_ioctl(struct net_dev ifrr.ifr_ifru = ifr->ifr_ifru; switch (cmd) { + case SIOCSHWTSTAMP: + if (!net_eq(dev_net(dev), &init_net)) + break; case SIOCGMIIPHY: case SIOCGMIIREG: case SIOCSMIIREG: - case SIOCSHWTSTAMP: case SIOCGHWTSTAMP: if (netif_device_present(real_dev) && ops->ndo_do_ioctl) err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd);