Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3384110pxb; Mon, 17 Jan 2022 19:13:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJzQJKSX3qmoqPVjsqccFQZCFDWEogODhZU1epxkMtsAk1VqdHmpui9fZWZrllq8VawOqBl5 X-Received: by 2002:a17:90a:cc03:: with SMTP id b3mr33469030pju.97.1642475615657; Mon, 17 Jan 2022 19:13:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642475615; cv=none; d=google.com; s=arc-20160816; b=EAZvhszjoKyC6l3orp75EghzfrwBV5p3fWI0u4aLdW01jB3pU8QUuK9GqlzY+4dQ4J OgPy13J65DknTObHJHMLKD9S4zbC4PFAgRgM5yd8dLWtiMbLspPSJBXx2QBddj9mhQjT O3Y2V6Ce66qxCzjhPjZGSfLZzUqbrKvYSaRW+EdLQgDjRWECVk+qVVg5tc4A7YfziO3N VCeEJplxXzRI7y3/jF6CGrmj5lw1ZS3ttbHCScxIw8qOzvcly3yEdKDRT3G0iuMTLh7Y j7PdtrTyJH8gTtOXbZN8bja2+URLAED2rWVNDsyRXdRKhF8lwas81SB6g9tSLQkIl4cc GGGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=0IXTxAkehUh2G0xWRJ07BW/FyFvHi5fDQQ5ySFn1vJM=; b=ZOl3+n+NtukcoYPAzU/zo90NH2t99++RI9IQyIEgKm3DoEJSXQCYf45NFaaJZW7n7G +sEZdkt80T2o5bUs9IgRMyKBH5UcvRx+7OZCXyd0o3mQUByIpWlPbDIl2LU1doujjRP7 dLKU8OdMloQmIybQFNbcsDpBm2s40X5KB5FthsV5Tyxpy41hhUqNvmGimnlLuwpfbx9V mQXfeOk3z4I/VcUF2NDv5VUv0B2n22gzKO2+SR/lAHe2x5djxhdv6Y756wtOGpRUHsiR f32174ZjbS3dsKM9GMKblERZIXiMWZZKmZv2LgAiIQ1TuOQwtfTgmW7RckjVfE5cko2x x4cA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=BQk0gMge; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j63si16003907pge.424.2022.01.17.19.13.24; Mon, 17 Jan 2022 19:13:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=BQk0gMge; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244830AbiARCVw (ORCPT + 99 others); Mon, 17 Jan 2022 21:21:52 -0500 Received: from ams.source.kernel.org ([145.40.68.75]:35644 "EHLO ams.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244729AbiARCVN (ORCPT ); Mon, 17 Jan 2022 21:21:13 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 74C06B8122C; Tue, 18 Jan 2022 02:21:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BE438C36AF4; Tue, 18 Jan 2022 02:21:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1642472471; bh=eSOZJjsod7JXBVDUOGZX0mGYhD7AX7qWZXKijpCydxQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BQk0gMgehW5BbtsRW6chjxxOFJbod6cnqJKPsIexlnwQX2BWscdZalmtljsHxf0ng a1CA8PpcNWYI5SQn7hH/BULI9U9xSaM0DGoS3mCUcbdAM+RgSw2CjHjFUxXWlrA3+F 3CCzHrDFHh6aam2KTQWU48adyQR6OgKYNPXc22C48MZWp2ZmabrBcs65jy97QeaJyU 1yvS0EFFyGl2R+7C1bt9aGcEJRilOhfZcYuGfOfvudnCxaQUOXaxPpmHILQS7jbHmZ DD0M6Y39rEH550zCrmlHYq0n84pZTFfcnhhmnYwRrn2zaJrij2UcDRT9ib9hqY/2ux zY70IMzOu6F/w== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: =?UTF-8?q?Linus=20L=C3=BCssing?= , Tycho Andersen , Sven Eckelmann , Simon Wunderlich , Sasha Levin , mareklindner@neomailbox.ch, a@unstable.cc, davem@davemloft.net, kuba@kernel.org, b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.16 025/217] batman-adv: allow netlink usage in unprivileged containers Date: Mon, 17 Jan 2022 21:16:28 -0500 Message-Id: <20220118021940.1942199-25-sashal@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220118021940.1942199-1-sashal@kernel.org> References: <20220118021940.1942199-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linus Lüssing [ Upstream commit 9057d6c23e7388ee9d037fccc9a7bc8557ce277b ] Currently, creating a batman-adv interface in an unprivileged LXD container and attaching secondary interfaces to it with "ip" or "batctl" works fine. However all batctl debug and configuration commands fail: root@container:~# batctl originators Error received: Operation not permitted root@container:~# batctl orig_interval 1000 root@container:~# batctl orig_interval 2000 root@container:~# batctl orig_interval 1000 To fix this change the generic netlink permissions from GENL_ADMIN_PERM to GENL_UNS_ADMIN_PERM. This way a batman-adv interface is fully maintainable as root from within a user namespace, from an unprivileged container. All except one batman-adv netlink setting are per interface and do not leak information or change settings from the host system and are therefore save to retrieve or modify as root from within an unprivileged container. "batctl routing_algo" / BATADV_CMD_GET_ROUTING_ALGOS is the only exception: It provides the batman-adv kernel module wide default routing algorithm. However it is read-only from netlink and an unprivileged container is still not allowed to modify /sys/module/batman_adv/parameters/routing_algo. Instead it is advised to use the newly introduced "batctl if create routing_algo RA_NAME" / IFLA_BATADV_ALGO_NAME to set the routing algorithm on interface creation, which already works fine in an unprivileged container. Cc: Tycho Andersen Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin --- net/batman-adv/netlink.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c index 29276284d281c..00875e1d8c44c 100644 --- a/net/batman-adv/netlink.c +++ b/net/batman-adv/netlink.c @@ -1368,21 +1368,21 @@ static const struct genl_small_ops batadv_netlink_ops[] = { { .cmd = BATADV_CMD_TP_METER, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .doit = batadv_netlink_tp_meter_start, .internal_flags = BATADV_FLAG_NEED_MESH, }, { .cmd = BATADV_CMD_TP_METER_CANCEL, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .doit = batadv_netlink_tp_meter_cancel, .internal_flags = BATADV_FLAG_NEED_MESH, }, { .cmd = BATADV_CMD_GET_ROUTING_ALGOS, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_algo_dump, }, { @@ -1397,68 +1397,68 @@ static const struct genl_small_ops batadv_netlink_ops[] = { { .cmd = BATADV_CMD_GET_TRANSTABLE_LOCAL, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_tt_local_dump, }, { .cmd = BATADV_CMD_GET_TRANSTABLE_GLOBAL, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_tt_global_dump, }, { .cmd = BATADV_CMD_GET_ORIGINATORS, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_orig_dump, }, { .cmd = BATADV_CMD_GET_NEIGHBORS, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_hardif_neigh_dump, }, { .cmd = BATADV_CMD_GET_GATEWAYS, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_gw_dump, }, { .cmd = BATADV_CMD_GET_BLA_CLAIM, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_bla_claim_dump, }, { .cmd = BATADV_CMD_GET_BLA_BACKBONE, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_bla_backbone_dump, }, { .cmd = BATADV_CMD_GET_DAT_CACHE, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_dat_cache_dump, }, { .cmd = BATADV_CMD_GET_MCAST_FLAGS, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .dumpit = batadv_mcast_flags_dump, }, { .cmd = BATADV_CMD_SET_MESH, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .doit = batadv_netlink_set_mesh, .internal_flags = BATADV_FLAG_NEED_MESH, }, { .cmd = BATADV_CMD_SET_HARDIF, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .doit = batadv_netlink_set_hardif, .internal_flags = BATADV_FLAG_NEED_MESH | BATADV_FLAG_NEED_HARDIF, @@ -1474,7 +1474,7 @@ static const struct genl_small_ops batadv_netlink_ops[] = { { .cmd = BATADV_CMD_SET_VLAN, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, + .flags = GENL_UNS_ADMIN_PERM, .doit = batadv_netlink_set_vlan, .internal_flags = BATADV_FLAG_NEED_MESH | BATADV_FLAG_NEED_VLAN, -- 2.34.1