[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 16 Jul 2016 17:41:56 +0800
From: Shanker Wang <miao.wang@...a.tsinghua.edu.cn>
To: Richard Weinberger <richard@....at>
Cc: netdev@...r.kernel.org
Subject: Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
Hi Richard,
Sorry for the late reply after dealing with my personal issues.
After reading the code, I find out that when /dev/ppp is opened,
the instance is in “unattached” state and `file->private_data`
is null correspondingly. After creating a new instance, attaching
to a instance or attaching to a channel using ioctl
(ppp_unattached_ioctl), the state is changed to “attached” and
`file->private_data` becomes valid. My opinion is that only
checking capability in `current->nsproxy->net_ns->user_ns` is
enough. The reason is that to create a ppp interface or control a
ppp interface (in short, to “modify” the network configuration),
we should always first create a new instance by opening `/dev/ppp`
and attach it to a unit or so.
As you mentioned, “an user can create a new user_ns followed by
a new net_ns and has CAP_NET_ADMIN”. However, in that case, he can
create new units by `ioctl PPPIOCNEWUNIT` but cannot attach to
units existing in other net_ns by `ioctl PPPIOCATTACH`, because
`ppp_find_unit` can only find unit in the current net_ns.
In spite of that, I have to admit that there is risk that lots
of ppp devices are created filling all kernel memory. I think this
can be avoided by some other methods.
You have mentioned in another reply that “the use of nsproxy has
to be removed” but I don’t understand the reason. In comparison,
I found similar usage of nsproxy in `tun.c`. So could you please
give a more detailed explanation? Thanks!
> 在 2016年6月19日,18:40,Richard Weinberger <richard@....at> 写道:
>
> Am 19.06.2016 um 12:36 schrieb Shanker Wang:
>>
>>> 在 2016年6月19日,12:13,Richard Weinberger <richard@....at> 写道:
>>>
>>> Am 19.06.2016 um 07:21 schrieb Shanker Wang:
>>>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>>>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>>>> namespace the net namespace was created so that /dev/ppp cat get opened
>>>> in a unprivileged container.
>>>>
>>>> Cc: Hannes Frederic Sowa <hannes@...essinduktion.org>
>>>> Cc: Richard Weinberger <richard.weinberger@...il.com>
>>>> Cc: Guillaume Nault <g.nault@...halink.fr>
>>>> Cc: Miao Wang <shankerwangmiao@...il.com>
>>>> Signed-off-by: Miao Wang <miao.wang@...a.tsinghua.edu.cn>
>>>> ---
>>>> drivers/net/ppp/ppp_generic.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
>>>> index f572b31..4b3b2b5 100644
>>>> --- a/drivers/net/ppp/ppp_generic.c
>>>> +++ b/drivers/net/ppp/ppp_generic.c
>>>> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
>>>> /*
>>>> * This could (should?) be enforced by the permissions on /dev/ppp.
>>>> */
>>>> - if (!capable(CAP_NET_ADMIN))
>>>> + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
>>>> return -EPERM;
>>>
>>> Shouldn't this be a ns_capable(net->user_ns, …?
>>> Otherwise an user can create a new user_ns followed by a new net_ns and has
>>> CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
>>> net_ns which belongs to the ppp net device which you want to open.
>> You are totally right. However, I wonder how can i get the “net” struct when
>> opening /dev/ppp
>
> I'm sure you can get it somehow via file->private_data.
>
> Thanks,
> //richard
Powered by blists - more mailing lists