bonding: Display LACP info only to CAP_NET_ADMIN capable user

Actor and Partner details can be accessed via proc-fs, sys-fs entries or netlink interface. These interfaces are world readable at this moment. The earlier patch-series made the LACP communication secure to avoid nuisance attack from within the same L2 domain but it did not prevent "someone unprivileged" looking at that information on host and perform the same act. This patch essentially avoids spitting those entries if the user in question does not have enough privileges. Signed-off-by: Mahesh Bandewar <maheshb@google.com> Signed-off-by: Andy Gospodarek <gospo@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Mahesh Bandewar <maheshb@google.com> 2015-06-18 14:30:54 -0400
committer: David S. Miller <davem@davemloft.net> 2015-06-23 06:11:52 -0400
commit: 4cd6b4754492c08f00e6237fd7e5c8b443370d15 (patch)
tree: 0ce370cb5df403d33052768ec5db283cc3448180 /drivers/net/bonding/bond_procfs.c
parent: 1f02c09bc34a892b4a7c67e7ffa036b96794e69b (diff)
1 files changed, 53 insertions, 48 deletions
diff --git a/drivers/net/bonding/bond_procfs.c b/drivers/net/bonding/bond_procfs.c
index e7f3047a26df..f514fe5e80a5 100644
--- a/drivers/net/bonding/bond_procfs.c
+++ b/drivers/net/bonding/bond_procfs.c
@@ -135,27 +135,30 @@ static void bond_info_show_master(struct seq_file *seq)
                                          bond->params.ad_select);
                seq_printf(seq, "Aggregator selection policy (ad_select): %s\n",
                           optval->string);
-                seq_printf(seq, "System priority: %d\n",
+                if (capable(CAP_NET_ADMIN)) {
-                           BOND_AD_INFO(bond).system.sys_priority);
+                        seq_printf(seq, "System priority: %d\n",
-                seq_printf(seq, "System MAC address: %pM\n",
+                                   BOND_AD_INFO(bond).system.sys_priority);
-                           &BOND_AD_INFO(bond).system.sys_mac_addr);
+                        seq_printf(seq, "System MAC address: %pM\n",
+                                   &BOND_AD_INFO(bond).system.sys_mac_addr);
-                if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {
-                        seq_printf(seq, "bond %s has no active aggregator\n",
+                        if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {
-                                   bond->dev->name);
+                                seq_printf(seq,
-                } else {
+                                           "bond %s has no active aggregator\n",
-                        seq_printf(seq, "Active Aggregator Info:\n");
+                                           bond->dev->name);
+                        } else {
-                        seq_printf(seq, "\tAggregator ID: %d\n",
+                                seq_printf(seq, "Active Aggregator Info:\n");
-                                   ad_info.aggregator_id);
-                        seq_printf(seq, "\tNumber of ports: %d\n",
+                                seq_printf(seq, "\tAggregator ID: %d\n",
-                                   ad_info.ports);
+                                           ad_info.aggregator_id);
-                        seq_printf(seq, "\tActor Key: %d\n",
+                                seq_printf(seq, "\tNumber of ports: %d\n",
-                                   ad_info.actor_key);
+                                           ad_info.ports);
-                        seq_printf(seq, "\tPartner Key: %d\n",
+                                seq_printf(seq, "\tActor Key: %d\n",
-                                   ad_info.partner_key);
+                                           ad_info.actor_key);
-                        seq_printf(seq, "\tPartner Mac Address: %pM\n",
+                                seq_printf(seq, "\tPartner Key: %d\n",
-                                   ad_info.partner_system);
+                                           ad_info.partner_key);
+                                seq_printf(seq, "\tPartner Mac Address: %pM\n",
+                                           ad_info.partner_system);
+                        }
                }
        }
 }
@@ -199,33 +202,35 @@ static void bond_info_show_slave(struct seq_file *seq,
                        seq_printf(seq, "Partner Churned Count: %d\n",
                                   port->churn_partner_count);
-                        seq_puts(seq, "details actor lacp pdu:\n");
+                        if (capable(CAP_NET_ADMIN)) {
-                        seq_printf(seq, "    system priority: %d\n",
+                                seq_puts(seq, "details actor lacp pdu:\n");
-                                   port->actor_system_priority);
+                                seq_printf(seq, "    system priority: %d\n",
-                        seq_printf(seq, "    system mac address: %pM\n",
+                                           port->actor_system_priority);
-                                   &port->actor_system);
+                                seq_printf(seq, "    system mac address: %pM\n",
-                        seq_printf(seq, "    port key: %d\n",
+                                           &port->actor_system);
-                                   port->actor_oper_port_key);
+                                seq_printf(seq, "    port key: %d\n",
-                        seq_printf(seq, "    port priority: %d\n",
+                                           port->actor_oper_port_key);
-                                   port->actor_port_priority);
+                                seq_printf(seq, "    port priority: %d\n",
-                        seq_printf(seq, "    port number: %d\n",
+                                           port->actor_port_priority);
-                                   port->actor_port_number);
+                                seq_printf(seq, "    port number: %d\n",
-                        seq_printf(seq, "    port state: %d\n",
+                                           port->actor_port_number);
-                                   port->actor_oper_port_state);
+                                seq_printf(seq, "    port state: %d\n",
+                                           port->actor_oper_port_state);
-                        seq_puts(seq, "details partner lacp pdu:\n");
-                        seq_printf(seq, "    system priority: %d\n",
+                                seq_puts(seq, "details partner lacp pdu:\n");
-                                   port->partner_oper.system_priority);
+                                seq_printf(seq, "    system priority: %d\n",
-                        seq_printf(seq, "    system mac address: %pM\n",
+                                           port->partner_oper.system_priority);
-                                   &port->partner_oper.system);
+                                seq_printf(seq, "    system mac address: %pM\n",
-                        seq_printf(seq, "    oper key: %d\n",
+                                           &port->partner_oper.system);
-                                   port->partner_oper.key);
+                                seq_printf(seq, "    oper key: %d\n",
-                        seq_printf(seq, "    port priority: %d\n",
+                                           port->partner_oper.key);
-                                   port->partner_oper.port_priority);
+                                seq_printf(seq, "    port priority: %d\n",
-                        seq_printf(seq, "    port number: %d\n",
+                                           port->partner_oper.port_priority);
-                                   port->partner_oper.port_number);
+                                seq_printf(seq, "    port number: %d\n",
-                        seq_printf(seq, "    port state: %d\n",
+                                           port->partner_oper.port_number);
-                                   port->partner_oper.port_state);
+                                seq_printf(seq, "    port state: %d\n",
+                                           port->partner_oper.port_state);
+                        }
                } else {
                        seq_puts(seq, "Aggregator ID: N/A\n");
                }
author	Mahesh Bandewar <maheshb@google.com>	2015-06-18 14:30:54 -0400
committer	David S. Miller <davem@davemloft.net>	2015-06-23 06:11:52 -0400
commit	4cd6b4754492c08f00e6237fd7e5c8b443370d15 (patch)
tree	0ce370cb5df403d33052768ec5db283cc3448180 /drivers/net/bonding/bond_procfs.c
parent	1f02c09bc34a892b4a7c67e7ffa036b96794e69b (diff)

diff --git a/drivers/net/bonding/bond_procfs.c b/drivers/net/bonding/bond_procfs.c index e7f3047a26df..f514fe5e80a5 100644 --- a/drivers/net/bonding/bond_procfs.c +++ b/drivers/net/bonding/bond_procfs.c
@@ -135,27 +135,30 @@ static void bond_info_show_master(struct seq_file *seq)
135	bond->params.ad_select);	135	bond->params.ad_select);
136	seq_printf(seq, "Aggregator selection policy (ad_select): %s\n",	136	seq_printf(seq, "Aggregator selection policy (ad_select): %s\n",
137	optval->string);	137	optval->string);
138	seq_printf(seq, "System priority: %d\n",	138	if (capable(CAP_NET_ADMIN)) {
139	BOND_AD_INFO(bond).system.sys_priority);	139	seq_printf(seq, "System priority: %d\n",
140	seq_printf(seq, "System MAC address: %pM\n",	140	BOND_AD_INFO(bond).system.sys_priority);
141	&BOND_AD_INFO(bond).system.sys_mac_addr);	141	seq_printf(seq, "System MAC address: %pM\n",
142		142	&BOND_AD_INFO(bond).system.sys_mac_addr);
143	if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {	143
144	seq_printf(seq, "bond %s has no active aggregator\n",	144	if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {
145	bond->dev->name);	145	seq_printf(seq,
146	} else {	146	"bond %s has no active aggregator\n",
147	seq_printf(seq, "Active Aggregator Info:\n");	147	bond->dev->name);
148		148	} else {
149	seq_printf(seq, "\tAggregator ID: %d\n",	149	seq_printf(seq, "Active Aggregator Info:\n");
150	ad_info.aggregator_id);	150
151	seq_printf(seq, "\tNumber of ports: %d\n",	151	seq_printf(seq, "\tAggregator ID: %d\n",
152	ad_info.ports);	152	ad_info.aggregator_id);
153	seq_printf(seq, "\tActor Key: %d\n",	153	seq_printf(seq, "\tNumber of ports: %d\n",
154	ad_info.actor_key);	154	ad_info.ports);
155	seq_printf(seq, "\tPartner Key: %d\n",	155	seq_printf(seq, "\tActor Key: %d\n",
156	ad_info.partner_key);	156	ad_info.actor_key);
157	seq_printf(seq, "\tPartner Mac Address: %pM\n",	157	seq_printf(seq, "\tPartner Key: %d\n",
158	ad_info.partner_system);	158	ad_info.partner_key);
		159	seq_printf(seq, "\tPartner Mac Address: %pM\n",
		160	ad_info.partner_system);
		161	}
159	}	162	}
160	}	163	}
161	}	164	}
@@ -199,33 +202,35 @@ static void bond_info_show_slave(struct seq_file *seq,
199	seq_printf(seq, "Partner Churned Count: %d\n",	202	seq_printf(seq, "Partner Churned Count: %d\n",
200	port->churn_partner_count);	203	port->churn_partner_count);
201		204
202	seq_puts(seq, "details actor lacp pdu:\n");	205	if (capable(CAP_NET_ADMIN)) {
203	seq_printf(seq, " system priority: %d\n",	206	seq_puts(seq, "details actor lacp pdu:\n");
204	port->actor_system_priority);	207	seq_printf(seq, " system priority: %d\n",
205	seq_printf(seq, " system mac address: %pM\n",	208	port->actor_system_priority);
206	&port->actor_system);	209	seq_printf(seq, " system mac address: %pM\n",
207	seq_printf(seq, " port key: %d\n",	210	&port->actor_system);
208	port->actor_oper_port_key);	211	seq_printf(seq, " port key: %d\n",
209	seq_printf(seq, " port priority: %d\n",	212	port->actor_oper_port_key);
210	port->actor_port_priority);	213	seq_printf(seq, " port priority: %d\n",
211	seq_printf(seq, " port number: %d\n",	214	port->actor_port_priority);
212	port->actor_port_number);	215	seq_printf(seq, " port number: %d\n",
213	seq_printf(seq, " port state: %d\n",	216	port->actor_port_number);
214	port->actor_oper_port_state);	217	seq_printf(seq, " port state: %d\n",
215		218	port->actor_oper_port_state);
216	seq_puts(seq, "details partner lacp pdu:\n");	219
217	seq_printf(seq, " system priority: %d\n",	220	seq_puts(seq, "details partner lacp pdu:\n");
218	port->partner_oper.system_priority);	221	seq_printf(seq, " system priority: %d\n",
219	seq_printf(seq, " system mac address: %pM\n",	222	port->partner_oper.system_priority);
220	&port->partner_oper.system);	223	seq_printf(seq, " system mac address: %pM\n",
221	seq_printf(seq, " oper key: %d\n",	224	&port->partner_oper.system);
222	port->partner_oper.key);	225	seq_printf(seq, " oper key: %d\n",
223	seq_printf(seq, " port priority: %d\n",	226	port->partner_oper.key);
224	port->partner_oper.port_priority);	227	seq_printf(seq, " port priority: %d\n",
225	seq_printf(seq, " port number: %d\n",	228	port->partner_oper.port_priority);
226	port->partner_oper.port_number);	229	seq_printf(seq, " port number: %d\n",
227	seq_printf(seq, " port state: %d\n",	230	port->partner_oper.port_number);
228	port->partner_oper.port_state);	231	seq_printf(seq, " port state: %d\n",
		232	port->partner_oper.port_state);
		233	}
229	} else {	234	} else {
230	seq_puts(seq, "Aggregator ID: N/A\n");	235	seq_puts(seq, "Aggregator ID: N/A\n");
231	}	236	}