net: Verify permission to dest_net in newlink

When applicable verify that the caller has permision to create a network device in another network namespace. This check is already present when moving a network device between network namespaces in setlink so all that is needed is to duplicate that check in newlink. This change almost backports cleanly, but there are context conflicts as the code that follows was added in v4.0-rc1 Fixes: b51642f6 net: Enable a userns root rtnl calls that are safe for unprivilged users Signed-off-by: N "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: N Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

net: Verify permission to dest_net in newlink
When applicable verify that the caller has permision to create a network device in another network namespace. This check is already present when moving a network device between network namespaces in setlink so all that is needed is to duplicate that check in newlink. This change almost backports cleanly, but there are context conflicts as the code that follows was added in v4.0-rc1 Fixes: b51642f6 net: Enable a userns root rtnl calls that are safe for unprivilged users Signed-off-by: N "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: N Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
505ce415 · Eric W. Biederman · David S. Miller · 56887149 · 505ce415
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

net/core/rtnetlink.c net/core/rtnetlink.c +4 -0

未找到文件。
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2122,6 +2122,10 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh)
 		if (IS_ERR(dest_net))
 			return PTR_ERR(dest_net);
+		err = -EPERM;
+		if (!netlink_ns_capable(skb, dest_net->user_ns, CAP_NET_ADMIN))
+			goto out;
 		if (tb[IFLA_LINK_NETNSID]) {
 			int id = nla_get_s32(tb[IFLA_LINK_NETNSID]);