Merge branch 'generic-netlink-multicast-fixes'

Ido Schimmel says: ==================== Generic netlink multicast fixes Restrict two generic netlink multicast groups - in the "psample" and "NET_DM" families - to be root-only with the appropriate capabilities. See individual patches for more details. ==================== Link: https://lore.kernel.org/r/20231206213102.1824398-1-idosch@nvidia.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>

Merge branch 'generic-netlink-multicast-fixes'
Ido Schimmel says: ==================== Generic netlink multicast fixes Restrict two generic netlink multicast groups - in the "psample" and "NET_DM" families - to be root-only with the appropriate capabilities. See individual patches for more details. ==================== Link: https://lore.kernel.org/r/20231206213102.1824398-1-idosch@nvidia.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
a041adee · Jakub Kicinski · 4a02609d · e0378187 · a041adee · a041adee
Commit a041adee authored Dec 07, 2023 by Jakub Kicinski
Showing with 10 additions and 2 deletions

include/net/genetlink.h include/net/genetlink.h +2 -0

net/core/drop_monitor.c net/core/drop_monitor.c +3 -1

net/netlink/genetlink.c net/netlink/genetlink.c +3 -0

net/psample/psample.c net/psample/psample.c +2 -1

No files found.
--- a/include/net/genetlink.h
+++ b/include/net/genetlink.h
@@ -12,10 +12,12 @@
 * struct genl_multicast_group - generic netlink multicast group
 * @name: name of the multicast group, names are per-family
 * @flags: GENL_* flags (%GENL_ADMIN_PERM or %GENL_UNS_ADMIN_PERM)
+ * @cap_sys_admin: whether %CAP_SYS_ADMIN is required for binding
 */
 struct genl_multicast_group {
 	char			name[GENL_NAMSIZ];
 	u8			flags;
+	u8			cap_sys_admin:1;
 };
 struct genl_split_ops;

--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -183,7 +183,7 @@ static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data)
 }
 static const struct genl_multicast_group dropmon_mcgrps[] = {
-	{ .name = "events", },
+	{ .name = "events", .cap_sys_admin = 1 },
 };
 static void send_dm_alert(struct work_struct *work)
@@ -1619,11 +1619,13 @@ static const struct genl_small_ops dropmon_ops[] = {
 		.cmd = NET_DM_CMD_START,
 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
 		.doit = net_dm_cmd_trace,
+		.flags = GENL_ADMIN_PERM,
 	},
 	{
 		.cmd = NET_DM_CMD_STOP,
 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
 		.doit = net_dm_cmd_trace,
+		.flags = GENL_ADMIN_PERM,
 	},
 	{
 		.cmd = NET_DM_CMD_CONFIG_GET,

--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1691,6 +1691,9 @@ static int genl_bind(struct net *net, int group)
 		if ((grp->flags & GENL_UNS_ADMIN_PERM) &&
 		    !ns_capable(net->user_ns, CAP_NET_ADMIN))
 			ret = -EPERM;
+		if (grp->cap_sys_admin &&
+		    !ns_capable(net->user_ns, CAP_SYS_ADMIN))
+			ret = -EPERM;
 		break;
 	}

--- a/net/psample/psample.c
+++ b/net/psample/psample.c
@@ -31,7 +31,8 @@ enum psample_nl_multicast_groups {
 static const struct genl_multicast_group psample_nl_mcgrps[] = {
 	[PSAMPLE_NL_MCGRP_CONFIG] = { .name = PSAMPLE_NL_MCGRP_CONFIG_NAME },
-	[PSAMPLE_NL_MCGRP_SAMPLE] = { .name = PSAMPLE_NL_MCGRP_SAMPLE_NAME },
+	[PSAMPLE_NL_MCGRP_SAMPLE] = { .name = PSAMPLE_NL_MCGRP_SAMPLE_NAME,
+				      .flags = GENL_UNS_ADMIN_PERM },
 };
 static struct genl_family psample_nl_family __ro_after_init;