Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp468061yba; Wed, 15 May 2019 04:39:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqz3qT7J404CNJ+FFVAs+GN87iXRR7RLP9awLfxGV2IM1O6H74PHTL8MG34bowYp4+U4ukk8 X-Received: by 2002:a63:3ece:: with SMTP id l197mr5233439pga.268.1557920342938; Wed, 15 May 2019 04:39:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557920342; cv=none; d=google.com; s=arc-20160816; b=pe8dC2u57/2Eu5O0foUSHFA/gcl9l84u8O1Zaqx0XEQkr7Cqd01PMvWeQQZixx2qvV +ZTutwjDdQs0lXc4+xYMWxEvOd7IS//cE2A2CztGs091mS7imBwY5X6t8fgDcI2dScbS 0WfTc/du0miUHDUGjjRY3SVgvzf7fD9Mcqa3F2CfB745nMwuu6TCq2RZPQJuW5HIXSlc 1B64fz1Q8uguVZbBANJrIFoIUKaSpm/oyo5ywbHrkw8QY4/wj7WvF4MlBaFNHAewgo4T J9vfP2BkYuE+45kGxs10ivdKZE5HclxgvlLroPSHqm0u71tsCLLoGknFvtVOnexgNYy2 YWoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rpzJOd59JDjllhhF8cS8LRmXEkeS0NdFaKMcQfB/GrI=; b=nGQOXiMMBZ7ZWIsfqV2Xsh47wPh8R33+VEd2PMhwaxBF+kKuLHeC3eFfpi3p1KQFjA QKk8PG6WMHOkcU0S9LP5zaN+QFuqHVnAlEgDC2njb22Ib/pIjZkb9Ma62yaTy3a0EOMC EuoyMofLeICFUxfQFzfmuxH6jxQfdMqBvHRLNqrMpSvb9gGhMCcsbwLpyr402HWoj7QS o4xo3LHRbCqgGwYMC4cBDPvPsTq4ZbiBaOcufbK+1M5z684ZUSv1IBlNK6f+V0VKjVr9 neQeIo09dJfTl1dK2j78W2U5+++ywzeEfC2bd1mYJo5Cwwbw0PlvXS1PsvfCBpVHi1Ab E8Pg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A57E3hU2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a89si1617952pla.348.2019.05.15.04.38.48; Wed, 15 May 2019 04:39:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=A57E3hU2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732819AbfEOLdI (ORCPT + 99 others); Wed, 15 May 2019 07:33:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:44902 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733110AbfEOLc4 (ORCPT ); Wed, 15 May 2019 07:32:56 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D0EA4206BF; Wed, 15 May 2019 11:32:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557919976; bh=zgxJFo41n2tRNguAeuAbLqkNgYqPJNN4eVAR+xGXUoE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A57E3hU2GDt6tjDksdNCIeCAd1/0GGBEFDTt+JW3JRFhxz6kn82st3QfvFkKbulfD KZeT19m/JycLNF4DFhy4TBfaTqc7lExEw+NSJv8qIZVGmUTt5hNUq7iiJVg2RjUNfm /swsHwwwlGaxDOhZCLfoVkXoUI43oQssqR7kxwBk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hangbin Liu , Richard Cochran , "David S. Miller" Subject: [PATCH 5.1 27/46] vlan: disable SIOCSHWTSTAMP in container Date: Wed, 15 May 2019 12:56:51 +0200 Message-Id: <20190515090625.571849309@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090616.670410738@linuxfoundation.org> References: <20190515090616.670410738@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hangbin Liu [ Upstream commit 873017af778439f2f8e3d87f28ddb1fcaf244a76 ] With NET_ADMIN enabled in container, a normal user could be mapped to root and is able to change the real device's rx filter via ioctl on vlan, which would affect the other ptp process on host. Fix it by disabling SIOCSHWTSTAMP in container. Fixes: a6111d3c93d0 ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device") Signed-off-by: Hangbin Liu Acked-by: Richard Cochran Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/8021q/vlan_dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/8021q/vlan_dev.c +++ b/net/8021q/vlan_dev.c @@ -367,10 +367,12 @@ static int vlan_dev_ioctl(struct net_dev ifrr.ifr_ifru = ifr->ifr_ifru; switch (cmd) { + case SIOCSHWTSTAMP: + if (!net_eq(dev_net(dev), &init_net)) + break; case SIOCGMIIPHY: case SIOCGMIIREG: case SIOCSMIIREG: - case SIOCSHWTSTAMP: case SIOCGHWTSTAMP: if (netif_device_present(real_dev) && ops->ndo_do_ioctl) err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd);