Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp506864yba; Wed, 15 May 2019 05:20:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqya37bObYE96bRRQZxhgyXiXuvYBFElxFncO3Eoggt+TbxQBCEn+DuVTTrsb4CAkwDm0sok X-Received: by 2002:a17:902:3281:: with SMTP id z1mr42842107plb.44.1557922804858; Wed, 15 May 2019 05:20:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557922804; cv=none; d=google.com; s=arc-20160816; b=wDUH4YvOO3tSg+Qb2EpHeZc7q/Sxo5X3xSjTRYb4GPMsQLNi5bKFFyWD58ucN5vy6N 9S0TSSL2xqpRnloAmhWGMJBraof5Y0evQAV/HSnujOA6nvjPt0OoGB37U7QIs4MonYDr U2p6iILYM5AOPwDWrNElHMCve+2yWeqKspupEBHk1wEtWV7QS3+CtgLFdLd3nk2h+BvF vVuNPacmeg8NFzBgbCfNtmYRydpDdI+Ol8FL2LiheHavJXVUsEC1cyM/3frAL0W/HJbc M3sKsnSeqkIfW23EVmC5G9F61dxAwDm/O6MImi3pc458vq3wrQgzIseQ5QBPNGzRh5wQ X1iQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=avArsZnc/Uw+KHaF5QiiZPG+e0lmwGiBMFw64b4LJHk=; b=TDjLzR0qcjOOL0ZR3uoBRTSlR6cRdi4jGoYwhKl11+7urjiWcqnjoV4BHBSBVcFFex qJgI67iKGrkdkFeK7MPoaZ/tjQlgzetqm6sn8b6XT0fo/AIa67Zk1dcdKZP4YtnqC7pF meUNguA49VG8j6LdVwuuFiA8kinEgDYYSRVIBGsSKc8B+k3Hsu2sjsJTZavgZI4Mzj1+ bnBOdhPNJcCg7WdKa3dy5hmkuiip25fTgCUy+40sGMWzqqCZGNRvU++wlyhGb5TfpxsN 7eUR6j3+SHzGOBtSeC8hPvZdQY+Wm4aq4k8Rtfka5uHdJZhn/mV62DkcwtyiD+Z1WH37 YrEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UCUNHE8W; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z184si1613674pgb.409.2019.05.15.05.19.49; Wed, 15 May 2019 05:20:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UCUNHE8W; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727670AbfEOLBS (ORCPT + 99 others); Wed, 15 May 2019 07:01:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:58176 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727633AbfEOLBM (ORCPT ); Wed, 15 May 2019 07:01:12 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EA8C220881; Wed, 15 May 2019 11:01:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557918071; bh=F8OCAH8LSQaGPAz3FzY/maYOYkQxcbr473s13hz57MA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UCUNHE8WMsuTREVZnonfshdPBSzPsPL8JbB8/WtQr9OajUCtBiPu/519JIXyDjA4U NYc32bidaOh1Gpq8Ou59u955c8omLA4lnKhgsmwpgB8bsQNKEynCyx183F6h+Hrjf5 4XhOxZTzO+lCzyjg+bHrCWonmrTAoNqJHySIPie0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hangbin Liu , Richard Cochran , "David S. Miller" Subject: [PATCH 3.18 81/86] vlan: disable SIOCSHWTSTAMP in container Date: Wed, 15 May 2019 12:55:58 +0200 Message-Id: <20190515090655.851644169@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090642.339346723@linuxfoundation.org> References: <20190515090642.339346723@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hangbin Liu [ Upstream commit 873017af778439f2f8e3d87f28ddb1fcaf244a76 ] With NET_ADMIN enabled in container, a normal user could be mapped to root and is able to change the real device's rx filter via ioctl on vlan, which would affect the other ptp process on host. Fix it by disabling SIOCSHWTSTAMP in container. Fixes: a6111d3c93d0 ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device") Signed-off-by: Hangbin Liu Acked-by: Richard Cochran Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/8021q/vlan_dev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/8021q/vlan_dev.c +++ b/net/8021q/vlan_dev.c @@ -394,10 +394,12 @@ static int vlan_dev_ioctl(struct net_dev ifrr.ifr_ifru = ifr->ifr_ifru; switch (cmd) { + case SIOCSHWTSTAMP: + if (!net_eq(dev_net(dev), &init_net)) + break; case SIOCGMIIPHY: case SIOCGMIIREG: case SIOCSMIIREG: - case SIOCSHWTSTAMP: case SIOCGHWTSTAMP: if (netif_device_present(real_dev) && ops->ndo_do_ioctl) err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd);