On Fri, 2012-11-16 at 06:32 -0800, Eric W. Biederman wrote: > Glauber Costa <glommer@xxxxxxxxxxxxx> writes: > > > On 11/16/2012 05:03 PM, Eric W. Biederman wrote: > >> + if (!capable(CAP_NET_ADMIN)) > >> + return -EPERM; > >> + > >> return netdev_store(dev, attr, buf, len, change_tx_queue_len); > > > > You mean ns_capable here? > > No. There I meant capable. > > I deliberately call capable here because I don't understand what > the tx_queue_len well enough to be certain it is safe to relax > that check to be just ns_capable. > > My get feel is that allowing an unprivileged user to be able to > arbitrarily change the tx_queue_len on a networking device would be a > nice way to allow queuing as many network packets as you would like with > kernel memory and DOSing the machine. > > So since with a quick read of the code I could not convince myself it > was safe to allow unprivilged users to change tx_queue_len I left it > protected by capable. While at the same time I relaxed the check in > netdev_store to be ns_capable. Tor the same reason you had better be very selective about which ethtool commands are allowed based on per-user_ns CAP_NET_ADMIN. Consider for a start: ETHTOOL_SMSGLVL => fill up the system log ETHTOOL_SEEPROM => brick the NIC ETHTOOL_FLASHDEV => brick the NIC; own the system if it's not using an IOMMU Ben. -- Ben Hutchings, Staff Engineer, Solarflare Not speaking for my employer; that's the marketing department's job. They asked us to note that Solarflare product names are trademarked. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
