From patchwork Fri Mar 31 23:55:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anjali Kulkarni X-Patchwork-Id: 78044 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp926077vqo; Fri, 31 Mar 2023 17:21:06 -0700 (PDT) X-Google-Smtp-Source: AKy350Y5y5/a9IJZ57mWuyaz2ScUHzrbojrzScrdLgwS7NJRpLEEhP0xIa1ArGq38NjoY+Q2PHjP X-Received: by 2002:a17:906:4795:b0:944:308f:b976 with SMTP id cw21-20020a170906479500b00944308fb976mr26150774ejc.36.1680308466057; Fri, 31 Mar 2023 17:21:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680308466; cv=none; d=google.com; s=arc-20160816; b=vK0++nONF02vt6BKRycyozfce0c6GkGycsTzY42Yw6X/lp0lpQxFdc7HJgmhBlwtBt atvPKLhrRQ6Z4MONQUQNsuDsP3kyRbHIx9lmW/MJ1qgQoauvTYFjHPo++q77XsvHhG25 BaoNBNXTKfafQRB0T+A+JpmPyY71c2k427m5fOFpm/mpWsEYPD48KH6gXRk+S0US8KOn wkW1SUAYtZEitRLOnkYdrpBy1oGlTTXd5f3rL5T84uPLETh3D44yYkurGBWo+GI5e/Yz 87fr0n/EshM8ATqGxtp/M7FG935hd3yfX+VWTEQu/7IlaWwAXBZLBNqP8YZ8fQBkXjjQ zmhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=gXl2kPXJPf/jSKBw0vAfbHVROAJisKoHzvhm0NlxHu4=; b=m2uIOZMt6m8HzGKUOhTO65oo2RUgMMuS8JYMdlVxwxpxJFgE0Rk0iqwBknuots5PEU yfINaRITiC1UNt3B83xl7xtBLCk1aSIjzV3p6FhIxUo1eKc/og4SY7nuuF1haEGJpW2o 1yojrGIjPmxIFmimOpu2EFl276wbeWpYjmQVWi0nX7Cw8B1NXoeY7rJ81FHS2F8ldIyo fr6vX7GMflT1Z6etOhZE83ZbG8TIzXVbl06v+9zUd4dEGgbth/sonIxLDUim8Z57Mu+G iVfwt/IRgjmUofo9eH/rwth7AC7I74naAGZUjkHPzftMbqkMC42+m7XXXvZP1VeXyYBV gQZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=xLQaYELm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l17-20020a056402345100b00502230e8b41si3073730edc.54.2023.03.31.17.20.42; Fri, 31 Mar 2023 17:21:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=xLQaYELm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233427AbjCaX4W (ORCPT + 99 others); Fri, 31 Mar 2023 19:56:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34572 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233368AbjCaX4C (ORCPT ); Fri, 31 Mar 2023 19:56:02 -0400 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DABA31D847; Fri, 31 Mar 2023 16:55:56 -0700 (PDT) Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32VKr7Ic014473; Fri, 31 Mar 2023 23:55:43 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=corp-2022-7-12; bh=gXl2kPXJPf/jSKBw0vAfbHVROAJisKoHzvhm0NlxHu4=; b=xLQaYELm8o7UC4DPnvEtAHanZdqgDJJb261230BLm4J66tzYsQXJIyTHzHIZez16tQs4 mnIGPbDEDO0Ip0qLm1itbuz6apUyV6nG9gu0IF4BsBswF0q2/iRpprSD3xertSpG6pQx /YYEtenP0DeqSUHCEWOHio55utVEEn2g4HRjj9blcMf9vkaazIE6j+szXQK2z+VjaC3z TUTZdOLy5jTLoP1rBsv2705M07nuLeuZRKWasxb1xbxfImaX/odD0FHifuG8ndMLIyhf EH4W5LuZYUZN3JnW8YsoQxIkfCCd8XgAYJ3bBq9r0uN6k/5hvWTd8bN0amzt0rRLNG3b 8A== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3pmqbyy9cx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 Mar 2023 23:55:42 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 32VM7sO4023475; Fri, 31 Mar 2023 23:55:42 GMT Received: from pps.reinject (localhost [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3phqdkm2ta-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 Mar 2023 23:55:42 +0000 Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 32VNtUIl019347; Fri, 31 Mar 2023 23:55:41 GMT Received: from ca-dev112.us.oracle.com (ca-dev112.us.oracle.com [10.129.136.47]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTP id 3phqdkm2p9-7; Fri, 31 Mar 2023 23:55:41 +0000 From: Anjali Kulkarni To: davem@davemloft.net Cc: edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, zbr@ioremap.net, brauner@kernel.org, johannes@sipsolutions.net, ecree.xilinx@gmail.com, leon@kernel.org, keescook@chromium.org, socketcan@hartkopp.net, petrm@nvidia.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, anjali.k.kulkarni@oracle.com Subject: [PATCH v4 6/6] connector/cn_proc: Allow non-root users access Date: Fri, 31 Mar 2023 16:55:28 -0700 Message-Id: <20230331235528.1106675-7-anjali.k.kulkarni@oracle.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230331235528.1106675-1-anjali.k.kulkarni@oracle.com> References: <20230331235528.1106675-1-anjali.k.kulkarni@oracle.com> MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-31_07,2023-03-31_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 bulkscore=0 spamscore=0 phishscore=0 mlxscore=0 mlxlogscore=999 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2303310196 X-Proofpoint-GUID: kQL8zfhycsoasLgugdG-uq01-aH7M4Kz X-Proofpoint-ORIG-GUID: kQL8zfhycsoasLgugdG-uq01-aH7M4Kz X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761931130063126053?= X-GMAIL-MSGID: =?utf-8?q?1761931130063126053?= There were a couple of reasons for not allowing non-root users access initially - one is there was some point no proper receive buffer management in place for netlink multicast. But that should be long fixed. See link below for more context. Second is that some of the messages may contain data that is root only. But this should be handled with a finer granularity, which is being done at the protocol layer. The only problematic protocols are nf_queue and the firewall netlink. Hence, this restriction for non-root access was relaxed for NETLINK_ROUTE initially: https://lore.kernel.org/all/20020612013101.A22399@wotan.suse.de/ This restriction has also been removed for following protocols: NETLINK_KOBJECT_UEVENT, NETLINK_AUDIT, NETLINK_SOCK_DIAG, NETLINK_GENERIC, NETLINK_SELINUX. Since process connector messages are not sensitive (process fork, exit notifications etc.), and anyone can read /proc data, we can allow non-root access here. However, since process event notification is not the only consumer of NETLINK_CONNECTOR, we can make this change even more fine grained than the protocol level, by checking for multicast group within the protocol. Allow non-root access for NETLINK_CONNECTOR via NL_CFG_F_NONROOT_RECV but add new bind function cn_bind(), which allows non-root access only for CN_IDX_PROC multicast group. Signed-off-by: Anjali Kulkarni --- drivers/connector/cn_proc.c | 7 ------- drivers/connector/connector.c | 14 ++++++++++++++ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c index 35bec1fd7ee0..046a8c1d8577 100644 --- a/drivers/connector/cn_proc.c +++ b/drivers/connector/cn_proc.c @@ -408,12 +408,6 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, !task_is_in_init_pid_ns(current)) return; - /* Can only change if privileged. */ - if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) { - err = EPERM; - goto out; - } - if (msg->len == sizeof(*pinput)) { pinput = (struct proc_input *)msg->data; mc_op = pinput->mcast_op; @@ -460,7 +454,6 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, break; } -out: cn_proc_ack(err, msg->seq, msg->ack); } diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c index d1179df2b0ba..193d3056de64 100644 --- a/drivers/connector/connector.c +++ b/drivers/connector/connector.c @@ -166,6 +166,18 @@ static int cn_call_callback(struct sk_buff *skb) return err; } +static int cn_bind(struct net *net, int group) +{ + unsigned long groups = 0; + groups = (unsigned long) group; + + if (ns_capable(net->user_ns, CAP_NET_ADMIN)) + return 0; + if (test_bit(CN_IDX_PROC - 1, &groups)) + return 0; + return -EPERM; +} + static void cn_release(struct sock *sk, unsigned long *groups) { if (groups && test_bit(CN_IDX_PROC - 1, groups)) { @@ -261,6 +273,8 @@ static int cn_init(void) struct netlink_kernel_cfg cfg = { .groups = CN_NETLINK_USERS + 0xf, .input = cn_rx_skb, + .flags = NL_CFG_F_NONROOT_RECV, + .bind = cn_bind, .release = cn_release, };