| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Mar 2023 19:19:52 -0800
From: Anjali Kulkarni <anjali.k.kulkarni@...cle.com>
To: davem@...emloft.net
Cc: edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
zbr@...emap.net, brauner@...nel.org, johannes@...solutions.net,
ecree.xilinx@...il.com, leon@...nel.org, keescook@...omium.org,
socketcan@...tkopp.net, petrm@...dia.com,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
anjali.k.kulkarni@...cle.com
Subject: [PATCH 4/5] connector/cn_proc: Allow non-root users access
The patch allows non-root users to receive cn proc connector
notifications, as anyone can normally get process start/exit status from
/proc. The reason for not allowing non-root users to receive multicast
messages is long gone, as described in this thread:
https://linux-kernel.vger.kernel.narkive.com/CpJFcnra/multicast-netlink-for-non-root-process
Also, many other netlink protocols allow non-root users to receive multicast
messages, and there is no reason to discriminate against CONNECTOR.
Reason we need this change is we need to run our DB application as a
non-root user.
Signed-off-by: Anjali Kulkarni <anjali.k.kulkarni@...cle.com>
---
drivers/connector/cn_proc.c | 7 -------
drivers/connector/connector.c | 1 +
2 files changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
index ef3820b43b5c..03ba70f07113 100644
--- a/drivers/connector/cn_proc.c
+++ b/drivers/connector/cn_proc.c
@@ -376,12 +376,6 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
!task_is_in_init_pid_ns(current))
return;
- /* Can only change if privileged. */
- if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) {
- err = EPERM;
- goto out;
- }
-
if (msg->len == sizeof(mc_op))
mc_op = *((enum proc_cn_mcast_op *)msg->data);
else
@@ -414,7 +408,6 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg,
break;
}
-out:
cn_proc_ack(err, msg->seq, msg->ack);
}
diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
index 1b7851b1aa0f..136a9f38a063 100644
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -251,6 +251,7 @@ static int cn_init(void)
{
struct cn_dev *dev = &cdev;
struct netlink_kernel_cfg cfg = {
+ .flags = NL_CFG_F_NONROOT_RECV,
.groups = CN_NETLINK_USERS + 0xf,
.input = cn_rx_skb,
};
--
2.39.2
Powered by blists - more mailing lists