| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 16 Jul 2016 17:41:56 +0800 From: Shanker Wang <miao.wang@...a.tsinghua.edu.cn> To: Richard Weinberger <richard@....at> Cc: netdev@...r.kernel.org Subject: Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp Hi Richard, Sorry for the late reply after dealing with my personal issues. After reading the code, I find out that when /dev/ppp is opened, the instance is in “unattached” state and `file->private_data` is null correspondingly. After creating a new instance, attaching to a instance or attaching to a channel using ioctl (ppp_unattached_ioctl), the state is changed to “attached” and `file->private_data` becomes valid. My opinion is that only checking capability in `current->nsproxy->net_ns->user_ns` is enough. The reason is that to create a ppp interface or control a ppp interface (in short, to “modify” the network configuration), we should always first create a new instance by opening `/dev/ppp` and attach it to a unit or so. As you mentioned, “an user can create a new user_ns followed by a new net_ns and has CAP_NET_ADMIN”. However, in that case, he can create new units by `ioctl PPPIOCNEWUNIT` but cannot attach to units existing in other net_ns by `ioctl PPPIOCATTACH`, because `ppp_find_unit` can only find unit in the current net_ns. In spite of that, I have to admit that there is risk that lots of ppp devices are created filling all kernel memory. I think this can be avoided by some other methods. You have mentioned in another reply that “the use of nsproxy has to be removed” but I don’t understand the reason. In comparison, I found similar usage of nsproxy in `tun.c`. So could you please give a more detailed explanation? Thanks! > 在 2016年6月19日,18:40,Richard Weinberger <richard@....at> 写道: > > Am 19.06.2016 um 12:36 schrieb Shanker Wang: >> >>> 在 2016年6月19日,12:13,Richard Weinberger <richard@....at> 写道: >>> >>> Am 19.06.2016 um 07:21 schrieb Shanker Wang: >>>> This patch removes the check for CAP_NET_ADMIN in the initial namespace >>>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user >>>> namespace the net namespace was created so that /dev/ppp cat get opened >>>> in a unprivileged container. >>>> >>>> Cc: Hannes Frederic Sowa <hannes@...essinduktion.org> >>>> Cc: Richard Weinberger <richard.weinberger@...il.com> >>>> Cc: Guillaume Nault <g.nault@...halink.fr> >>>> Cc: Miao Wang <shankerwangmiao@...il.com> >>>> Signed-off-by: Miao Wang <miao.wang@...a.tsinghua.edu.cn> >>>> --- >>>> drivers/net/ppp/ppp_generic.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c >>>> index f572b31..4b3b2b5 100644 >>>> --- a/drivers/net/ppp/ppp_generic.c >>>> +++ b/drivers/net/ppp/ppp_generic.c >>>> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file) >>>> /* >>>> * This could (should?) be enforced by the permissions on /dev/ppp. >>>> */ >>>> - if (!capable(CAP_NET_ADMIN)) >>>> + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN)) >>>> return -EPERM; >>> >>> Shouldn't this be a ns_capable(net->user_ns, …? >>> Otherwise an user can create a new user_ns followed by a new net_ns and has >>> CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the >>> net_ns which belongs to the ppp net device which you want to open. >> You are totally right. However, I wonder how can i get the “net” struct when >> opening /dev/ppp > > I'm sure you can get it somehow via file->private_data. > > Thanks, > //richard
Powered by blists - more mailing lists