net: make net namespace sysctls belong to container's owner
If net namespace is attached to a user namespace let's make container's root owner of sysctls affecting said network namespace instead of global root. This also allows us to clean up net_ctl_permissions() because we do not need to fudge permissions anymore for the container's owner since it now owns the objects in question. Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Родитель
c110486f6c
Коммит
e79c6a4fc9
|
@ -430,6 +430,7 @@ static int sysctl_perm(struct ctl_table_header *head, struct ctl_table *table, i
|
|||
static struct inode *proc_sys_make_inode(struct super_block *sb,
|
||||
struct ctl_table_header *head, struct ctl_table *table)
|
||||
{
|
||||
struct ctl_table_root *root = head->root;
|
||||
struct inode *inode;
|
||||
struct proc_inode *ei;
|
||||
|
||||
|
@ -457,6 +458,10 @@ static struct inode *proc_sys_make_inode(struct super_block *sb,
|
|||
if (is_empty_dir(head))
|
||||
make_empty_dir_inode(inode);
|
||||
}
|
||||
|
||||
if (root->set_ownership)
|
||||
root->set_ownership(head, table, &inode->i_uid, &inode->i_gid);
|
||||
|
||||
out:
|
||||
return inode;
|
||||
}
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
#include <linux/rcupdate.h>
|
||||
#include <linux/wait.h>
|
||||
#include <linux/rbtree.h>
|
||||
#include <linux/uidgid.h>
|
||||
#include <uapi/linux/sysctl.h>
|
||||
|
||||
/* For the /proc/sys support */
|
||||
|
@ -157,6 +158,9 @@ struct ctl_table_root {
|
|||
struct ctl_table_set default_set;
|
||||
struct ctl_table_set *(*lookup)(struct ctl_table_root *root,
|
||||
struct nsproxy *namespaces);
|
||||
void (*set_ownership)(struct ctl_table_header *head,
|
||||
struct ctl_table *table,
|
||||
kuid_t *uid, kgid_t *gid);
|
||||
int (*permissions)(struct ctl_table_header *head, struct ctl_table *table);
|
||||
};
|
||||
|
||||
|
|
|
@ -42,26 +42,37 @@ static int net_ctl_permissions(struct ctl_table_header *head,
|
|||
struct ctl_table *table)
|
||||
{
|
||||
struct net *net = container_of(head->set, struct net, sysctls);
|
||||
kuid_t root_uid = make_kuid(net->user_ns, 0);
|
||||
kgid_t root_gid = make_kgid(net->user_ns, 0);
|
||||
|
||||
/* Allow network administrator to have same access as root. */
|
||||
if (ns_capable_noaudit(net->user_ns, CAP_NET_ADMIN) ||
|
||||
uid_eq(root_uid, current_euid())) {
|
||||
if (ns_capable(net->user_ns, CAP_NET_ADMIN)) {
|
||||
int mode = (table->mode >> 6) & 7;
|
||||
return (mode << 6) | (mode << 3) | mode;
|
||||
}
|
||||
/* Allow netns root group to have the same access as the root group */
|
||||
if (in_egroup_p(root_gid)) {
|
||||
int mode = (table->mode >> 3) & 7;
|
||||
return (mode << 3) | mode;
|
||||
}
|
||||
|
||||
return table->mode;
|
||||
}
|
||||
|
||||
static void net_ctl_set_ownership(struct ctl_table_header *head,
|
||||
struct ctl_table *table,
|
||||
kuid_t *uid, kgid_t *gid)
|
||||
{
|
||||
struct net *net = container_of(head->set, struct net, sysctls);
|
||||
kuid_t ns_root_uid;
|
||||
kgid_t ns_root_gid;
|
||||
|
||||
ns_root_uid = make_kuid(net->user_ns, 0);
|
||||
if (uid_valid(ns_root_uid))
|
||||
*uid = ns_root_uid;
|
||||
|
||||
ns_root_gid = make_kgid(net->user_ns, 0);
|
||||
if (gid_valid(ns_root_gid))
|
||||
*gid = ns_root_gid;
|
||||
}
|
||||
|
||||
static struct ctl_table_root net_sysctl_root = {
|
||||
.lookup = net_ctl_header_lookup,
|
||||
.permissions = net_ctl_permissions,
|
||||
.set_ownership = net_ctl_set_ownership,
|
||||
};
|
||||
|
||||
static int __net_init sysctl_net_init(struct net *net)
|
||||
|
|
Загрузка…
Ссылка в новой задаче