> From: Jason Gunthorpe <jgg@xxxxxxxxxx>
> Sent: Tuesday, March 18, 2025 1:02 AM
>
> On Thu, Mar 13, 2025 at 07:08:32AM +0200, Parav Pandit wrote:
> > Currently, the capability check is done on the current process which
> > may have the CAP_NET_RAW capability, but such process may not have
> > opened the file. A file may could have been opened by a lesser
> > privilege process that does not possess the CAP_NET_RAW capability.
>
> > To avoid such situations, perform the capability checks against the
> > file's credentials. This approach ensures that the capabilities of the
> > process that opened the file are enforced.
> >
> > Fixes: c938a616aadb ("IB/core: Add raw packet QP type")
> > Signed-off-by: Parav Pandit <parav@xxxxxxxxxx>
> > Suggested-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> >
> > ---
> >
> > Eric,
> >
> > Shouldn't we check the capabilities of the process that opened the
> > file and also the current process that is issuing the create_flow()
> > ioctl? This way, the minimum capabilities of both processes are
> > considered.
>
> I would say no, that is not our model in RDMA. The process that opens the file
> is irrelevant. We only check the current system call context for capability,
> much like any other systemcall.
>
Eric explained the motivation [1] and [2] for this fix is:
A lesser privilege process A opens the fd (currently caps are not checked), passes the fd to a higher privilege process B.
And somehow let process B pass the needed capabilities check for resource creation, after which process A continue to use the resource without capability.
[1] https://lore.kernel.org/linux-rdma/87ecz4q27k.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
[2] https://lore.kernel.org/linux-rdma/87msdsoism.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
> Jason
