Patch "genetlink: add CAP_NET_ADMIN test for multicast bind" has been added to the 4.14-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    genetlink: add CAP_NET_ADMIN test for multicast bind

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     genetlink-add-cap_net_admin-test-for-multicast-bind.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From stable+bounces-5310-greg=kroah.com@xxxxxxxxxxxxxxx Mon Dec 11 13:43:48 2023
From: Ido Schimmel <idosch@xxxxxxxxxx>
Date: Mon, 11 Dec 2023 14:42:59 +0200
Subject: genetlink: add CAP_NET_ADMIN test for multicast bind
To: <stable@xxxxxxxxxxxxxxx>
Cc: <davem@xxxxxxxxxxxxx>, <kuba@xxxxxxxxxx>, <pabeni@xxxxxxxxxx>, <edumazet@xxxxxxxxxx>, <nhorman@xxxxxxxxxxxxx>, <yotam.gi@xxxxxxxxx>, <sashal@xxxxxxxxxx>, <fw@xxxxxxxxx>, <jacob.e.keller@xxxxxxxxx>, <jiri@xxxxxxxxxx>
Message-ID: <20231211124301.822961-3-idosch@xxxxxxxxxx>

From: Ido Schimmel <idosch@xxxxxxxxxx>

This is a partial backport of upstream commit 4d54cc32112d ("mptcp:
avoid lock_fast usage in accept path"). It is only a partial backport
because the patch in the link below was erroneously squash-merged into
upstream commit 4d54cc32112d ("mptcp: avoid lock_fast usage in accept
path"). Below is the original patch description from Florian Westphal:

"
genetlink sets NL_CFG_F_NONROOT_RECV for its netlink socket so anyone can
subscribe to multicast messages.

rtnetlink doesn't allow this unconditionally,  rtnetlink_bind() restricts
bind requests to CAP_NET_ADMIN for a few groups.

This allows to set GENL_UNS_ADMIN_PERM flag on genl mcast groups to
mandate CAP_NET_ADMIN.

This will be used by the upcoming mptcp netlink event facility which
exposes the token (mptcp connection identifier) to userspace.
"

Link: https://lore.kernel.org/mptcp/20210213000001.379332-8-mathew.j.martineau@xxxxxxxxxxxxxxx/
Signed-off-by: Ido Schimmel <idosch@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 include/net/genetlink.h |    1 +
 net/netlink/genetlink.c |   32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

--- a/include/net/genetlink.h
+++ b/include/net/genetlink.h
@@ -14,6 +14,7 @@
  */
 struct genl_multicast_group {
 	char			name[GENL_NAMSIZ];
+	u8			flags;
 };
 
 struct genl_ops;
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -959,11 +959,43 @@ static struct genl_family genl_ctrl __ro
 	.netnsok = true,
 };
 
+static int genl_bind(struct net *net, int group)
+{
+	const struct genl_family *family;
+	unsigned int id;
+	int ret = 0;
+
+	genl_lock_all();
+
+	idr_for_each_entry(&genl_fam_idr, family, id) {
+		const struct genl_multicast_group *grp;
+		int i;
+
+		if (family->n_mcgrps == 0)
+			continue;
+
+		i = group - family->mcgrp_offset;
+		if (i < 0 || i >= family->n_mcgrps)
+			continue;
+
+		grp = &family->mcgrps[i];
+		if ((grp->flags & GENL_UNS_ADMIN_PERM) &&
+		    !ns_capable(net->user_ns, CAP_NET_ADMIN))
+			ret = -EPERM;
+
+		break;
+	}
+
+	genl_unlock_all();
+	return ret;
+}
+
 static int __net_init genl_pernet_init(struct net *net)
 {
 	struct netlink_kernel_cfg cfg = {
 		.input		= genl_rcv,
 		.flags		= NL_CFG_F_NONROOT_RECV,
+		.bind		= genl_bind,
 	};
 
 	/* we'll bump the group number right afterwards */


Patches currently in stable-queue which might be from kroah.com@xxxxxxxxxxxxxxx are

queue-4.14/psample-require-cap_net_admin-when-joining-packets-group.patch
queue-4.14/drop_monitor-require-cap_sys_admin-when-joining-events-group.patch
queue-4.14/netlink-don-t-call-netlink_bind-with-table-lock-held.patch
queue-4.14/genetlink-add-cap_net_admin-test-for-multicast-bind.patch




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux