macvlan: disable SIOCSHWTSTAMP in container

Miroslav pointed that with NET_ADMIN enabled in container, a normal user could be mapped to root and is able to change the real device's rx filter via ioctl on macvlan, which would affect the other ptp process on host. Fix it by disabling SIOCSHWTSTAMP in container. Fixes: 254c0a2b ("macvlan: pass get_ts_info and SIOC[SG]HWTSTAMP ioctl to real device") Signed-off-by: N Hangbin Liu <liuhangbin@gmail.com> Acked-by: N Richard Cochran <richardcochran@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

macvlan: disable SIOCSHWTSTAMP in container
Miroslav pointed that with NET_ADMIN enabled in container, a normal user could be mapped to root and is able to change the real device's rx filter via ioctl on macvlan, which would affect the other ptp process on host. Fix it by disabling SIOCSHWTSTAMP in container. Fixes: 254c0a2b ("macvlan: pass get_ts_info and SIOC[SG]HWTSTAMP ioctl to real device") Signed-off-by: N Hangbin Liu <liuhangbin@gmail.com> Acked-by: N Richard Cochran <richardcochran@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
6c2ea9eb · Hangbin Liu · David S. Miller · ff946833 · 6c2ea9eb
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

drivers/net/macvlan.c drivers/net/macvlan.c +2 -0

未找到文件。
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -836,6 +836,8 @@ static int macvlan_do_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)

 	switch (cmd) {
 	case SIOCSHWTSTAMP:
+		if (!net_eq(dev_net(dev), &init_net))
+			break;
 	case SIOCGHWTSTAMP:
 		if (netif_device_present(real_dev) && ops->ndo_do_ioctl)
 			err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd);