From patchwork Sat Jul 8 02:34:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anjali Kulkarni X-Patchwork-Id: 117356 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9f45:0:b0:3ea:f831:8777 with SMTP id v5csp3667324vqx; Fri, 7 Jul 2023 19:49:01 -0700 (PDT) X-Google-Smtp-Source: APBJJlGcRWFJHMJKnxyFovtBKMiSMtSkG5Mmflm3n5Gh95O3IgHO/EHcap8ROnJINor6tqfxYMCm X-Received: by 2002:a92:cb07:0:b0:345:af1c:29c4 with SMTP id s7-20020a92cb07000000b00345af1c29c4mr6684574ilo.25.1688784540802; Fri, 07 Jul 2023 19:49:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688784540; cv=none; d=google.com; s=arc-20160816; b=rG2sTsvEOqsui4UlLfZS63OcirYoI7oNnur9+5B/m7L4EzOthbCKu+95LXgIp4FoEP cY8bTJarsg1cRRiCVTwQKrzefawjrJ40L9uLY04dnicNwX3ddh9fhOPsjlZB1qTlsgh0 WOsvrsXP5ESEIx9VM8FNuAnN20/dpYMvoQGgA6K1oJTOXqFGWEoOJnM2B/NUTZme93rT ZMcmVfEVJNb4hANBU3uiZ1yOqFG1wG30ULzy4cO1ZMU4TeLyTa7RODlHg4HBwrCqb2qA qBoR2RKyGiWGiuG5jY5CDAJeEHSQXHD822W6JyBnA25eMYCeWHPGIA7SX6WhoUNIeEIW qq3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=qmeUsS7zFBj7NRNT7eXQe9a1TTvvEdA754mUtEqiSjQ=; fh=L25bI22Y4h2nlxYi3SiuGrikSvp5JITVFvWG3qKhvOg=; b=AEV+x809epLJzJxkItfDlYX2zeRNfQJTTXWsrO2sUrcTUiubPFDaEFPRSXqOPKxZKG hsnt8sR2V/KoTxG/GopQdL89YTg+MnrkA6od9ZDfBaYMZ8pFPmUoZ+1bq4Fnlraz5dsp SZv/mgXHSm9FPo5pp3Bjuv7JPdxafvbHAkqo5Q9zVW8Ac2JLNUg2sOU1Q9Ab9NnrbWrm si3x7Inhra48KL/nMnmeqP+9zOkvtyvRiYeDSwFDuTLGkolsKud25B5lBBnHhnRspLlW MZ+4+Q3vnOkHk8QA71jePg0WXDf9KPy1qRejywpne4L2EpL3Jrq3H6YHQKkPnYbn2y5l bYmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b=IqT5LpE+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q143-20020a632a95000000b0055ba8970e7dsi5221057pgq.677.2023.07.07.19.48.45; Fri, 07 Jul 2023 19:49:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2023-03-30 header.b=IqT5LpE+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232853AbjGHCe5 (ORCPT + 99 others); Fri, 7 Jul 2023 22:34:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232604AbjGHCes (ORCPT ); Fri, 7 Jul 2023 22:34:48 -0400 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36A23210B; Fri, 7 Jul 2023 19:34:47 -0700 (PDT) Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3682CoFH027406; Sat, 8 Jul 2023 02:34:27 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=corp-2023-03-30; bh=qmeUsS7zFBj7NRNT7eXQe9a1TTvvEdA754mUtEqiSjQ=; b=IqT5LpE+pcLDvCoBl8SHXMHLQkV2Rc3AnKtwZL67ZWsFv/qvTKreJ0GJhLOzXD0kirTl nlVDq1CjVzdKvUP2DRZSxV65tqM/VFJ2W2kXLNun5fb9YewMeAKupD+ldm338obPX2d7 h69aAZLiMSf9uCSNDcQlmYlstDoOO1c1elf1wl5C+TI7qcVzxi6g0Tw+Nig70VitIohg FZYhAWgRQ01sl0UOiCzDzIJ863eQP8VBYLeKJ0gDsabmnG/V77qzYBXkuQcf6rEGtF0I YPyBPkdnKnfDxd2LT0mYveYBfgmsXMnzQ8QKBg47d15zF4KIhhOcceieI4bu7TGfLVw2 KQ== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3rpxd0r0ve-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 08 Jul 2023 02:34:27 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 3681X7J5034615; Sat, 8 Jul 2023 02:34:26 GMT Received: from pps.reinject (localhost [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3rpx81h03s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 08 Jul 2023 02:34:26 +0000 Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 3682YL38033474; Sat, 8 Jul 2023 02:34:26 GMT Received: from ca-dev112.us.oracle.com (ca-dev112.us.oracle.com [10.129.136.47]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id 3rpx81h01x-6; Sat, 08 Jul 2023 02:34:26 +0000 From: Anjali Kulkarni To: davem@davemloft.net Cc: Liam.Howlett@Oracle.com, akpm@linux-foundation.org, david@fries.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, zbr@ioremap.net, brauner@kernel.org, johannes@sipsolutions.net, ecree.xilinx@gmail.com, leon@kernel.org, keescook@chromium.org, socketcan@hartkopp.net, petrm@nvidia.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, anjali.k.kulkarni@oracle.com Subject: [PATCH v9 5/6] connector/cn_proc: Allow non-root users access Date: Fri, 7 Jul 2023 19:34:19 -0700 Message-ID: <20230708023420.3931239-6-anjali.k.kulkarni@oracle.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230708023420.3931239-1-anjali.k.kulkarni@oracle.com> References: <20230708023420.3931239-1-anjali.k.kulkarni@oracle.com> MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-07_16,2023-07-06_02,2023-05-22_02 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 spamscore=0 phishscore=0 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2305260000 definitions=main-2307080022 X-Proofpoint-GUID: bOTcJhzuoU2rDmAG-dqaMJcYXUbNtDNA X-Proofpoint-ORIG-GUID: bOTcJhzuoU2rDmAG-dqaMJcYXUbNtDNA X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1770818938878884065?= X-GMAIL-MSGID: =?utf-8?q?1770818938878884065?= There were a couple of reasons for not allowing non-root users access initially - one is there was some point no proper receive buffer management in place for netlink multicast. But that should be long fixed. See link below for more context. Second is that some of the messages may contain data that is root only. But this should be handled with a finer granularity, which is being done at the protocol layer. The only problematic protocols are nf_queue and the firewall netlink. Hence, this restriction for non-root access was relaxed for NETLINK_ROUTE initially: https://lore.kernel.org/all/20020612013101.A22399@wotan.suse.de/ This restriction has also been removed for following protocols: NETLINK_KOBJECT_UEVENT, NETLINK_AUDIT, NETLINK_SOCK_DIAG, NETLINK_GENERIC, NETLINK_SELINUX. Since process connector messages are not sensitive (process fork, exit notifications etc.), and anyone can read /proc data, we can allow non-root access here. However, since process event notification is not the only consumer of NETLINK_CONNECTOR, we can make this change even more fine grained than the protocol level, by checking for multicast group within the protocol. Allow non-root access for NETLINK_CONNECTOR via NL_CFG_F_NONROOT_RECV but add new bind function cn_bind(), which allows non-root access only for CN_IDX_PROC multicast group. Signed-off-by: Anjali Kulkarni --- drivers/connector/cn_proc.c | 6 ------ drivers/connector/connector.c | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c index dfc84d44f804..05d562e9c8b1 100644 --- a/drivers/connector/cn_proc.c +++ b/drivers/connector/cn_proc.c @@ -410,12 +410,6 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, !task_is_in_init_pid_ns(current)) return; - /* Can only change if privileged. */ - if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) { - err = EPERM; - goto out; - } - if (msg->len == sizeof(*pinput)) { pinput = (struct proc_input *)msg->data; mc_op = pinput->mcast_op; diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c index d1179df2b0ba..7f7b94f616a6 100644 --- a/drivers/connector/connector.c +++ b/drivers/connector/connector.c @@ -166,6 +166,23 @@ static int cn_call_callback(struct sk_buff *skb) return err; } +/* + * Allow non-root access for NETLINK_CONNECTOR family having CN_IDX_PROC + * multicast group. + */ +static int cn_bind(struct net *net, int group) +{ + unsigned long groups = (unsigned long) group; + + if (ns_capable(net->user_ns, CAP_NET_ADMIN)) + return 0; + + if (test_bit(CN_IDX_PROC - 1, &groups)) + return 0; + + return -EPERM; +} + static void cn_release(struct sock *sk, unsigned long *groups) { if (groups && test_bit(CN_IDX_PROC - 1, groups)) { @@ -261,6 +278,8 @@ static int cn_init(void) struct netlink_kernel_cfg cfg = { .groups = CN_NETLINK_USERS + 0xf, .input = cn_rx_skb, + .flags = NL_CFG_F_NONROOT_RECV, + .bind = cn_bind, .release = cn_release, };