net: Allow userns root to control ipv6

Allow an unpriviled user who has created a user namespace, and then created a network namespace to effectively use the new network namespace, by reducing capable(CAP_NET_ADMIN) and capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns, CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls. Settings that merely control a single network device are allowed. Either the network device is a logical network device where restrictions make no difference or the network device is hardware NIC that has been explicity moved from the initial network namespace. In general policy and network stack state changes are allowed while resource control is left unchanged. Allow the SIOCSIFADDR ioctl to add ipv6 addresses. Allow the SIOCDIFADDR ioctl to delete ipv6 addresses. Allow the SIOCADDRT ioctl to add ipv6 routes. Allow the SIOCDELRT ioctl to delete ipv6 routes. Allow creation of ipv6 raw sockets. Allow setting the IPV6_JOIN_ANYCAST socket option. Allow setting the IPV6_FL_A_RENEW parameter of the IPV6_FLOWLABEL_MGR socket option. Allow setting the IPV6_TRANSPARENT socket option. Allow setting the IPV6_HOPOPTS socket option. Allow setting the IPV6_RTHDRDSTOPTS socket option. Allow setting the IPV6_DSTOPTS socket option. Allow setting the IPV6_IPSEC_POLICY socket option. Allow setting the IPV6_XFRM_POLICY socket option. Allow sending packets with the IPV6_2292HOPOPTS control message. Allow sending packets with the IPV6_2292DSTOPTS control message. Allow sending packets with the IPV6_RTHDRDSTOPTS control message. Allow setting the multicast routing socket options on non multicast routing sockets. Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, and SIOCDELTUNNEL ioctls for setting up, changing and deleting tunnels over ipv6. Allow the SIOCADDTUNNEL, SIOCCHGTUNNEL, SIOCDELTUNNEL ioctls for setting up, changing and deleting ipv6 over ipv4 tunnels. Allow the SIOCADDPRL, SIOCDELPRL, SIOCCHGPRL ioctls for adding, deleting, and changing the potential router list for ISATAP tunnels. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric W. Biederman <ebiederm@xmission.com> 2012-11-15 22:03:06 -0500
committer: David S. Miller <davem@davemloft.net> 2012-11-18 20:32:45 -0500
commit: af31f412c7c7a3c0fda4bf4beaf0c85af1f263c8 (patch)
tree: f140b9a4956d891c1e5cf59c30c65cc7245cc764 /net/ipv6/sit.c
parent: 52e804c6dfaa5df1e4b0e290357b82ad4e4cda2c (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index ca6c2c8e71d2..fee21c6c3ebf 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -988,7 +988,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
        case SIOCADDTUNNEL:
        case SIOCCHGTUNNEL:
                err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                        goto done;
                err = -EFAULT;
@@ -1032,7 +1032,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
        case SIOCDELTUNNEL:
                err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                        goto done;
                if (dev == sitn->fb_tunnel_dev) {
@@ -1065,7 +1065,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
        case SIOCDELPRL:
        case SIOCCHGPRL:
                err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                        goto done;
                err = -EINVAL;
                if (dev == sitn->fb_tunnel_dev)
@@ -1094,7 +1094,7 @@ ipip6_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
        case SIOCCHG6RD:
        case SIOCDEL6RD:
                err = -EPERM;
-                if (!capable(CAP_NET_ADMIN))
+                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                        goto done;
                err = -EFAULT;
author	Eric W. Biederman <ebiederm@xmission.com>	2012-11-15 22:03:06 -0500
committer	David S. Miller <davem@davemloft.net>	2012-11-18 20:32:45 -0500
commit	af31f412c7c7a3c0fda4bf4beaf0c85af1f263c8 (patch)
tree	f140b9a4956d891c1e5cf59c30c65cc7245cc764 /net/ipv6/sit.c
parent	52e804c6dfaa5df1e4b0e290357b82ad4e4cda2c (diff)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index ca6c2c8e71d2..fee21c6c3ebf 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c
@@ -988,7 +988,7 @@ ipip6_tunnel_ioctl (struct net_device dev, struct ifreq ifr, int cmd)
988	case SIOCADDTUNNEL:	988	case SIOCADDTUNNEL:
989	case SIOCCHGTUNNEL:	989	case SIOCCHGTUNNEL:
990	err = -EPERM;	990	err = -EPERM;
991	if (!capable(CAP_NET_ADMIN))	991	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
992	goto done;	992	goto done;
993		993
994	err = -EFAULT;	994	err = -EFAULT;
@@ -1032,7 +1032,7 @@ ipip6_tunnel_ioctl (struct net_device dev, struct ifreq ifr, int cmd)
1032		1032
1033	case SIOCDELTUNNEL:	1033	case SIOCDELTUNNEL:
1034	err = -EPERM;	1034	err = -EPERM;
1035	if (!capable(CAP_NET_ADMIN))	1035	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1036	goto done;	1036	goto done;
1037		1037
1038	if (dev == sitn->fb_tunnel_dev) {	1038	if (dev == sitn->fb_tunnel_dev) {
@@ -1065,7 +1065,7 @@ ipip6_tunnel_ioctl (struct net_device dev, struct ifreq ifr, int cmd)
1065	case SIOCDELPRL:	1065	case SIOCDELPRL:
1066	case SIOCCHGPRL:	1066	case SIOCCHGPRL:
1067	err = -EPERM;	1067	err = -EPERM;
1068	if (!capable(CAP_NET_ADMIN))	1068	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1069	goto done;	1069	goto done;
1070	err = -EINVAL;	1070	err = -EINVAL;
1071	if (dev == sitn->fb_tunnel_dev)	1071	if (dev == sitn->fb_tunnel_dev)
@@ -1094,7 +1094,7 @@ ipip6_tunnel_ioctl (struct net_device dev, struct ifreq ifr, int cmd)
1094	case SIOCCHG6RD:	1094	case SIOCCHG6RD:
1095	case SIOCDEL6RD:	1095	case SIOCDEL6RD:
1096	err = -EPERM;	1096	err = -EPERM;
1097	if (!capable(CAP_NET_ADMIN))	1097	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
1098	goto done;	1098	goto done;
1099		1099
1100	err = -EFAULT;	1100	err = -EFAULT;