bonding: Display LACP info only to CAP_NET_ADMIN capable user

Actor and Partner details can be accessed via proc-fs, sys-fs entries or netlink interface. These interfaces are world readable at this moment. The earlier patch-series made the LACP communication secure to avoid nuisance attack from within the same L2 domain but it did not prevent "someone unprivileged" looking at that information on host and perform the same act. This patch essentially avoids spitting those entries if the user in question does not have enough privileges. Signed-off-by: Mahesh Bandewar <maheshb@google.com> Signed-off-by: Andy Gospodarek <gospo@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Mahesh Bandewar <maheshb@google.com> 2015-06-18 14:30:54 -0400
committer: David S. Miller <davem@davemloft.net> 2015-06-23 06:11:52 -0400
commit: 4cd6b4754492c08f00e6237fd7e5c8b443370d15 (patch)
tree: 0ce370cb5df403d33052768ec5db283cc3448180 /drivers
parent: 1f02c09bc34a892b4a7c67e7ffa036b96794e69b (diff)
3 files changed, 71 insertions, 65 deletions
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index 5580fcde738f..1bda29249d12 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c
@@ -601,19 +601,20 @@ static int bond_fill_info(struct sk_buff *skb,
        if (BOND_MODE(bond) == BOND_MODE_8023AD) {
                struct ad_info info;
-                if (nla_put_u16(skb, IFLA_BOND_AD_ACTOR_SYS_PRIO,
+                if (capable(CAP_NET_ADMIN)) {
-                                bond->params.ad_actor_sys_prio))
+                        if (nla_put_u16(skb, IFLA_BOND_AD_ACTOR_SYS_PRIO,
-                        goto nla_put_failure;
+                                        bond->params.ad_actor_sys_prio))
+                                goto nla_put_failure;
-                if (nla_put_u16(skb, IFLA_BOND_AD_USER_PORT_KEY,
-                                bond->params.ad_user_port_key))
-                        goto nla_put_failure;
-                if (nla_put(skb, IFLA_BOND_AD_ACTOR_SYSTEM,
+                        if (nla_put_u16(skb, IFLA_BOND_AD_USER_PORT_KEY,
-                            sizeof(bond->params.ad_actor_system),
+                                        bond->params.ad_user_port_key))
-                            &bond->params.ad_actor_system))
+                                goto nla_put_failure;
-                        goto nla_put_failure;
+                        if (nla_put(skb, IFLA_BOND_AD_ACTOR_SYSTEM,
+                                    sizeof(bond->params.ad_actor_system),
+                                    &bond->params.ad_actor_system))
+                                goto nla_put_failure;
+                }
                if (!bond_3ad_get_active_agg_info(bond, &info)) {
                        struct nlattr *nest;
diff --git a/drivers/net/bonding/bond_procfs.c b/drivers/net/bonding/bond_procfs.c
index e7f3047a26df..f514fe5e80a5 100644
--- a/drivers/net/bonding/bond_procfs.c
+++ b/drivers/net/bonding/bond_procfs.c
@@ -135,27 +135,30 @@ static void bond_info_show_master(struct seq_file *seq)
                                          bond->params.ad_select);
                seq_printf(seq, "Aggregator selection policy (ad_select): %s\n",
                           optval->string);
-                seq_printf(seq, "System priority: %d\n",
+                if (capable(CAP_NET_ADMIN)) {
-                           BOND_AD_INFO(bond).system.sys_priority);
+                        seq_printf(seq, "System priority: %d\n",
-                seq_printf(seq, "System MAC address: %pM\n",
+                                   BOND_AD_INFO(bond).system.sys_priority);
-                           &BOND_AD_INFO(bond).system.sys_mac_addr);
+                        seq_printf(seq, "System MAC address: %pM\n",
+                                   &BOND_AD_INFO(bond).system.sys_mac_addr);
-                if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {
-                        seq_printf(seq, "bond %s has no active aggregator\n",
+                        if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {
-                                   bond->dev->name);
+                                seq_printf(seq,
-                } else {
+                                           "bond %s has no active aggregator\n",
-                        seq_printf(seq, "Active Aggregator Info:\n");
+                                           bond->dev->name);
+                        } else {
-                        seq_printf(seq, "\tAggregator ID: %d\n",
+                                seq_printf(seq, "Active Aggregator Info:\n");
-                                   ad_info.aggregator_id);
-                        seq_printf(seq, "\tNumber of ports: %d\n",
+                                seq_printf(seq, "\tAggregator ID: %d\n",
-                                   ad_info.ports);
+                                           ad_info.aggregator_id);
-                        seq_printf(seq, "\tActor Key: %d\n",
+                                seq_printf(seq, "\tNumber of ports: %d\n",
-                                   ad_info.actor_key);
+                                           ad_info.ports);
-                        seq_printf(seq, "\tPartner Key: %d\n",
+                                seq_printf(seq, "\tActor Key: %d\n",
-                                   ad_info.partner_key);
+                                           ad_info.actor_key);
-                        seq_printf(seq, "\tPartner Mac Address: %pM\n",
+                                seq_printf(seq, "\tPartner Key: %d\n",
-                                   ad_info.partner_system);
+                                           ad_info.partner_key);
+                                seq_printf(seq, "\tPartner Mac Address: %pM\n",
+                                           ad_info.partner_system);
+                        }
                }
        }
 }
@@ -199,33 +202,35 @@ static void bond_info_show_slave(struct seq_file *seq,
                        seq_printf(seq, "Partner Churned Count: %d\n",
                                   port->churn_partner_count);
-                        seq_puts(seq, "details actor lacp pdu:\n");
+                        if (capable(CAP_NET_ADMIN)) {
-                        seq_printf(seq, "    system priority: %d\n",
+                                seq_puts(seq, "details actor lacp pdu:\n");
-                                   port->actor_system_priority);
+                                seq_printf(seq, "    system priority: %d\n",
-                        seq_printf(seq, "    system mac address: %pM\n",
+                                           port->actor_system_priority);
-                                   &port->actor_system);
+                                seq_printf(seq, "    system mac address: %pM\n",
-                        seq_printf(seq, "    port key: %d\n",
+                                           &port->actor_system);
-                                   port->actor_oper_port_key);
+                                seq_printf(seq, "    port key: %d\n",
-                        seq_printf(seq, "    port priority: %d\n",
+                                           port->actor_oper_port_key);
-                                   port->actor_port_priority);
+                                seq_printf(seq, "    port priority: %d\n",
-                        seq_printf(seq, "    port number: %d\n",
+                                           port->actor_port_priority);
-                                   port->actor_port_number);
+                                seq_printf(seq, "    port number: %d\n",
-                        seq_printf(seq, "    port state: %d\n",
+                                           port->actor_port_number);
-                                   port->actor_oper_port_state);
+                                seq_printf(seq, "    port state: %d\n",
+                                           port->actor_oper_port_state);
-                        seq_puts(seq, "details partner lacp pdu:\n");
-                        seq_printf(seq, "    system priority: %d\n",
+                                seq_puts(seq, "details partner lacp pdu:\n");
-                                   port->partner_oper.system_priority);
+                                seq_printf(seq, "    system priority: %d\n",
-                        seq_printf(seq, "    system mac address: %pM\n",
+                                           port->partner_oper.system_priority);
-                                   &port->partner_oper.system);
+                                seq_printf(seq, "    system mac address: %pM\n",
-                        seq_printf(seq, "    oper key: %d\n",
+                                           &port->partner_oper.system);
-                                   port->partner_oper.key);
+                                seq_printf(seq, "    oper key: %d\n",
-                        seq_printf(seq, "    port priority: %d\n",
+                                           port->partner_oper.key);
-                                   port->partner_oper.port_priority);
+                                seq_printf(seq, "    port priority: %d\n",
-                        seq_printf(seq, "    port number: %d\n",
+                                           port->partner_oper.port_priority);
-                                   port->partner_oper.port_number);
+                                seq_printf(seq, "    port number: %d\n",
-                        seq_printf(seq, "    port state: %d\n",
+                                           port->partner_oper.port_number);
-                                   port->partner_oper.port_state);
+                                seq_printf(seq, "    port state: %d\n",
+                                           port->partner_oper.port_state);
+                        }
                } else {
                        seq_puts(seq, "Aggregator ID: N/A\n");
                }
diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
index 143a2abd1c1c..31835a4dab57 100644
--- a/drivers/net/bonding/bond_sysfs.c
+++ b/drivers/net/bonding/bond_sysfs.c
@@ -549,7 +549,7 @@ static ssize_t bonding_show_ad_actor_key(struct device *d,
        int count = 0;
        struct bonding *bond = to_bond(d);
-        if (BOND_MODE(bond) == BOND_MODE_8023AD) {
+        if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN)) {
                struct ad_info ad_info;
                count = sprintf(buf, "%d\n",
                                bond_3ad_get_active_agg_info(bond, &ad_info)
@@ -569,7 +569,7 @@ static ssize_t bonding_show_ad_partner_key(struct device *d,
        int count = 0;
        struct bonding *bond = to_bond(d);
-        if (BOND_MODE(bond) == BOND_MODE_8023AD) {
+        if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN)) {
                struct ad_info ad_info;
                count = sprintf(buf, "%d\n",
                                bond_3ad_get_active_agg_info(bond, &ad_info)
@@ -589,7 +589,7 @@ static ssize_t bonding_show_ad_partner_mac(struct device *d,
        int count = 0;
        struct bonding *bond = to_bond(d);
-        if (BOND_MODE(bond) == BOND_MODE_8023AD) {
+        if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN)) {
                struct ad_info ad_info;
                if (!bond_3ad_get_active_agg_info(bond, &ad_info))
                        count = sprintf(buf, "%pM\n", ad_info.partner_system);
@@ -698,7 +698,7 @@ static ssize_t bonding_show_ad_actor_sys_prio(struct device *d,
 {
        struct bonding *bond = to_bond(d);
-        if (BOND_MODE(bond) == BOND_MODE_8023AD)
+        if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN))
                return sprintf(buf, "%hu\n", bond->params.ad_actor_sys_prio);
        return 0;
@@ -712,7 +712,7 @@ static ssize_t bonding_show_ad_actor_system(struct device *d,
 {
        struct bonding *bond = to_bond(d);
-        if (BOND_MODE(bond) == BOND_MODE_8023AD)
+        if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN))
                return sprintf(buf, "%pM\n", bond->params.ad_actor_system);
        return 0;
@@ -727,7 +727,7 @@ static ssize_t bonding_show_ad_user_port_key(struct device *d,
 {
        struct bonding *bond = to_bond(d);
-        if (BOND_MODE(bond) == BOND_MODE_8023AD)
+        if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN))
                return sprintf(buf, "%hu\n", bond->params.ad_user_port_key);
        return 0;
author	Mahesh Bandewar <maheshb@google.com>	2015-06-18 14:30:54 -0400
committer	David S. Miller <davem@davemloft.net>	2015-06-23 06:11:52 -0400
commit	4cd6b4754492c08f00e6237fd7e5c8b443370d15 (patch)
tree	0ce370cb5df403d33052768ec5db283cc3448180 /drivers
parent	1f02c09bc34a892b4a7c67e7ffa036b96794e69b (diff)

diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c index 5580fcde738f..1bda29249d12 100644 --- a/drivers/net/bonding/bond_netlink.c +++ b/drivers/net/bonding/bond_netlink.c
@@ -601,19 +601,20 @@ static int bond_fill_info(struct sk_buff *skb,
601	if (BOND_MODE(bond) == BOND_MODE_8023AD) {	601	if (BOND_MODE(bond) == BOND_MODE_8023AD) {
602	struct ad_info info;	602	struct ad_info info;
603		603
604	if (nla_put_u16(skb, IFLA_BOND_AD_ACTOR_SYS_PRIO,	604	if (capable(CAP_NET_ADMIN)) {
605	bond->params.ad_actor_sys_prio))	605	if (nla_put_u16(skb, IFLA_BOND_AD_ACTOR_SYS_PRIO,
606	goto nla_put_failure;	606	bond->params.ad_actor_sys_prio))
607		607	goto nla_put_failure;
608	if (nla_put_u16(skb, IFLA_BOND_AD_USER_PORT_KEY,
609	bond->params.ad_user_port_key))
610	goto nla_put_failure;
611		608
612	if (nla_put(skb, IFLA_BOND_AD_ACTOR_SYSTEM,	609	if (nla_put_u16(skb, IFLA_BOND_AD_USER_PORT_KEY,
613	sizeof(bond->params.ad_actor_system),	610	bond->params.ad_user_port_key))
614	&bond->params.ad_actor_system))	611	goto nla_put_failure;
615	goto nla_put_failure;
616		612
		613	if (nla_put(skb, IFLA_BOND_AD_ACTOR_SYSTEM,
		614	sizeof(bond->params.ad_actor_system),
		615	&bond->params.ad_actor_system))
		616	goto nla_put_failure;
		617	}
617	if (!bond_3ad_get_active_agg_info(bond, &info)) {	618	if (!bond_3ad_get_active_agg_info(bond, &info)) {
618	struct nlattr *nest;	619	struct nlattr *nest;
619		620


diff --git a/drivers/net/bonding/bond_procfs.c b/drivers/net/bonding/bond_procfs.c index e7f3047a26df..f514fe5e80a5 100644 --- a/drivers/net/bonding/bond_procfs.c +++ b/drivers/net/bonding/bond_procfs.c
@@ -135,27 +135,30 @@ static void bond_info_show_master(struct seq_file *seq)
135	bond->params.ad_select);	135	bond->params.ad_select);
136	seq_printf(seq, "Aggregator selection policy (ad_select): %s\n",	136	seq_printf(seq, "Aggregator selection policy (ad_select): %s\n",
137	optval->string);	137	optval->string);
138	seq_printf(seq, "System priority: %d\n",	138	if (capable(CAP_NET_ADMIN)) {
139	BOND_AD_INFO(bond).system.sys_priority);	139	seq_printf(seq, "System priority: %d\n",
140	seq_printf(seq, "System MAC address: %pM\n",	140	BOND_AD_INFO(bond).system.sys_priority);
141	&BOND_AD_INFO(bond).system.sys_mac_addr);	141	seq_printf(seq, "System MAC address: %pM\n",
142		142	&BOND_AD_INFO(bond).system.sys_mac_addr);
143	if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {	143
144	seq_printf(seq, "bond %s has no active aggregator\n",	144	if (__bond_3ad_get_active_agg_info(bond, &ad_info)) {
145	bond->dev->name);	145	seq_printf(seq,
146	} else {	146	"bond %s has no active aggregator\n",
147	seq_printf(seq, "Active Aggregator Info:\n");	147	bond->dev->name);
148		148	} else {
149	seq_printf(seq, "\tAggregator ID: %d\n",	149	seq_printf(seq, "Active Aggregator Info:\n");
150	ad_info.aggregator_id);	150
151	seq_printf(seq, "\tNumber of ports: %d\n",	151	seq_printf(seq, "\tAggregator ID: %d\n",
152	ad_info.ports);	152	ad_info.aggregator_id);
153	seq_printf(seq, "\tActor Key: %d\n",	153	seq_printf(seq, "\tNumber of ports: %d\n",
154	ad_info.actor_key);	154	ad_info.ports);
155	seq_printf(seq, "\tPartner Key: %d\n",	155	seq_printf(seq, "\tActor Key: %d\n",
156	ad_info.partner_key);	156	ad_info.actor_key);
157	seq_printf(seq, "\tPartner Mac Address: %pM\n",	157	seq_printf(seq, "\tPartner Key: %d\n",
158	ad_info.partner_system);	158	ad_info.partner_key);
		159	seq_printf(seq, "\tPartner Mac Address: %pM\n",
		160	ad_info.partner_system);
		161	}
159	}	162	}
160	}	163	}
161	}	164	}
@@ -199,33 +202,35 @@ static void bond_info_show_slave(struct seq_file *seq,
199	seq_printf(seq, "Partner Churned Count: %d\n",	202	seq_printf(seq, "Partner Churned Count: %d\n",
200	port->churn_partner_count);	203	port->churn_partner_count);
201		204
202	seq_puts(seq, "details actor lacp pdu:\n");	205	if (capable(CAP_NET_ADMIN)) {
203	seq_printf(seq, " system priority: %d\n",	206	seq_puts(seq, "details actor lacp pdu:\n");
204	port->actor_system_priority);	207	seq_printf(seq, " system priority: %d\n",
205	seq_printf(seq, " system mac address: %pM\n",	208	port->actor_system_priority);
206	&port->actor_system);	209	seq_printf(seq, " system mac address: %pM\n",
207	seq_printf(seq, " port key: %d\n",	210	&port->actor_system);
208	port->actor_oper_port_key);	211	seq_printf(seq, " port key: %d\n",
209	seq_printf(seq, " port priority: %d\n",	212	port->actor_oper_port_key);
210	port->actor_port_priority);	213	seq_printf(seq, " port priority: %d\n",
211	seq_printf(seq, " port number: %d\n",	214	port->actor_port_priority);
212	port->actor_port_number);	215	seq_printf(seq, " port number: %d\n",
213	seq_printf(seq, " port state: %d\n",	216	port->actor_port_number);
214	port->actor_oper_port_state);	217	seq_printf(seq, " port state: %d\n",
215		218	port->actor_oper_port_state);
216	seq_puts(seq, "details partner lacp pdu:\n");	219
217	seq_printf(seq, " system priority: %d\n",	220	seq_puts(seq, "details partner lacp pdu:\n");
218	port->partner_oper.system_priority);	221	seq_printf(seq, " system priority: %d\n",
219	seq_printf(seq, " system mac address: %pM\n",	222	port->partner_oper.system_priority);
220	&port->partner_oper.system);	223	seq_printf(seq, " system mac address: %pM\n",
221	seq_printf(seq, " oper key: %d\n",	224	&port->partner_oper.system);
222	port->partner_oper.key);	225	seq_printf(seq, " oper key: %d\n",
223	seq_printf(seq, " port priority: %d\n",	226	port->partner_oper.key);
224	port->partner_oper.port_priority);	227	seq_printf(seq, " port priority: %d\n",
225	seq_printf(seq, " port number: %d\n",	228	port->partner_oper.port_priority);
226	port->partner_oper.port_number);	229	seq_printf(seq, " port number: %d\n",
227	seq_printf(seq, " port state: %d\n",	230	port->partner_oper.port_number);
228	port->partner_oper.port_state);	231	seq_printf(seq, " port state: %d\n",
		232	port->partner_oper.port_state);
		233	}
229	} else {	234	} else {
230	seq_puts(seq, "Aggregator ID: N/A\n");	235	seq_puts(seq, "Aggregator ID: N/A\n");
231	}	236	}


diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c index 143a2abd1c1c..31835a4dab57 100644 --- a/drivers/net/bonding/bond_sysfs.c +++ b/drivers/net/bonding/bond_sysfs.c
@@ -549,7 +549,7 @@ static ssize_t bonding_show_ad_actor_key(struct device *d,
549	int count = 0;	549	int count = 0;
550	struct bonding *bond = to_bond(d);	550	struct bonding *bond = to_bond(d);
551		551
552	if (BOND_MODE(bond) == BOND_MODE_8023AD) {	552	if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN)) {
553	struct ad_info ad_info;	553	struct ad_info ad_info;
554	count = sprintf(buf, "%d\n",	554	count = sprintf(buf, "%d\n",
555	bond_3ad_get_active_agg_info(bond, &ad_info)	555	bond_3ad_get_active_agg_info(bond, &ad_info)
@@ -569,7 +569,7 @@ static ssize_t bonding_show_ad_partner_key(struct device *d,
569	int count = 0;	569	int count = 0;
570	struct bonding *bond = to_bond(d);	570	struct bonding *bond = to_bond(d);
571		571
572	if (BOND_MODE(bond) == BOND_MODE_8023AD) {	572	if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN)) {
573	struct ad_info ad_info;	573	struct ad_info ad_info;
574	count = sprintf(buf, "%d\n",	574	count = sprintf(buf, "%d\n",
575	bond_3ad_get_active_agg_info(bond, &ad_info)	575	bond_3ad_get_active_agg_info(bond, &ad_info)
@@ -589,7 +589,7 @@ static ssize_t bonding_show_ad_partner_mac(struct device *d,
589	int count = 0;	589	int count = 0;
590	struct bonding *bond = to_bond(d);	590	struct bonding *bond = to_bond(d);
591		591
592	if (BOND_MODE(bond) == BOND_MODE_8023AD) {	592	if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN)) {
593	struct ad_info ad_info;	593	struct ad_info ad_info;
594	if (!bond_3ad_get_active_agg_info(bond, &ad_info))	594	if (!bond_3ad_get_active_agg_info(bond, &ad_info))
595	count = sprintf(buf, "%pM\n", ad_info.partner_system);	595	count = sprintf(buf, "%pM\n", ad_info.partner_system);
@@ -698,7 +698,7 @@ static ssize_t bonding_show_ad_actor_sys_prio(struct device *d,
698	{	698	{
699	struct bonding *bond = to_bond(d);	699	struct bonding *bond = to_bond(d);
700		700
701	if (BOND_MODE(bond) == BOND_MODE_8023AD)	701	if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN))
702	return sprintf(buf, "%hu\n", bond->params.ad_actor_sys_prio);	702	return sprintf(buf, "%hu\n", bond->params.ad_actor_sys_prio);
703		703
704	return 0;	704	return 0;
@@ -712,7 +712,7 @@ static ssize_t bonding_show_ad_actor_system(struct device *d,
712	{	712	{
713	struct bonding *bond = to_bond(d);	713	struct bonding *bond = to_bond(d);
714		714
715	if (BOND_MODE(bond) == BOND_MODE_8023AD)	715	if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN))
716	return sprintf(buf, "%pM\n", bond->params.ad_actor_system);	716	return sprintf(buf, "%pM\n", bond->params.ad_actor_system);
717		717
718	return 0;	718	return 0;
@@ -727,7 +727,7 @@ static ssize_t bonding_show_ad_user_port_key(struct device *d,
727	{	727	{
728	struct bonding *bond = to_bond(d);	728	struct bonding *bond = to_bond(d);
729		729
730	if (BOND_MODE(bond) == BOND_MODE_8023AD)	730	if (BOND_MODE(bond) == BOND_MODE_8023AD && capable(CAP_NET_ADMIN))
731	return sprintf(buf, "%hu\n", bond->params.ad_user_port_key);	731	return sprintf(buf, "%hu\n", bond->params.ad_user_port_key);
732		732
733	return 0;	733	return 0;