sysctl: allow override of /proc/sys/net with CAP_NET_ADMIN

Extend the permission check for networking sysctl's to allow modification when current process has CAP_NET_ADMIN capability and is not root. This version uses the until now unused permissions hook to override the mode value for /proc/sys/net if accessed by a user with capabilities. Found while working with Quagga. It is impossible to turn forwarding on/off through the command interface because Quagga uses secure coding practice of dropping privledges during initialization and only raising via capabilities when necessary. Since the dameon has reset real/effective uid after initialization, all attempts to access /proc/sys/net variables will fail. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Andrew Morgan <morgan@kernel.org> Cc: Pavel Emelyanov <xemul@openvz.org> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Stephen Hemminger <shemminger@vyatta.com> 2008-07-25 04:48:32 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2008-07-25 13:53:45 -0400
commit: 4ecb90090c84210a8bd2a9d7a5906e616735873c (patch)
tree: a7baec8859ff9750296be318400ba4475eb40b6c /net
parent: 99541c23cd32bacf1a591ca537a7c0cb9053ad7e (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index 007c1a6708ee..63ada437fc2f 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -35,8 +35,22 @@ net_ctl_header_lookup(struct ctl_table_root *root, struct nsproxy *namespaces)
        return &namespaces->net_ns->sysctl_table_headers;
 }
+/* Return standard mode bits for table entry. */
+static int net_ctl_permissions(struct ctl_table_root *root,
+                               struct nsproxy *nsproxy,
+                               struct ctl_table *table)
+{
+        /* Allow network administrator to have same access as root. */
+        if (capable(CAP_NET_ADMIN)) {
+                int mode = (table->mode >> 6) & 7;
+                return (mode << 6) | (mode << 3) | mode;
+        }
+        return table->mode;
+}
 static struct ctl_table_root net_sysctl_root = {
        .lookup = net_ctl_header_lookup,
+        .permissions = net_ctl_permissions,
 };
 static LIST_HEAD(net_sysctl_ro_tables);
author	Stephen Hemminger <shemminger@vyatta.com>	2008-07-25 04:48:32 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2008-07-25 13:53:45 -0400
commit	4ecb90090c84210a8bd2a9d7a5906e616735873c (patch)
tree	a7baec8859ff9750296be318400ba4475eb40b6c /net
parent	99541c23cd32bacf1a591ca537a7c0cb9053ad7e (diff)

diff --git a/net/sysctl_net.c b/net/sysctl_net.c index 007c1a6708ee..63ada437fc2f 100644 --- a/net/sysctl_net.c +++ b/net/sysctl_net.c
@@ -35,8 +35,22 @@ net_ctl_header_lookup(struct ctl_table_root root, struct nsproxy namespaces)
35	return &namespaces->net_ns->sysctl_table_headers;	35	return &namespaces->net_ns->sysctl_table_headers;
36	}	36	}
37		37
		38	/* Return standard mode bits for table entry. */
		39	static int net_ctl_permissions(struct ctl_table_root *root,
		40	struct nsproxy *nsproxy,
		41	struct ctl_table *table)
		42	{
		43	/* Allow network administrator to have same access as root. */
		44	if (capable(CAP_NET_ADMIN)) {
		45	int mode = (table->mode >> 6) & 7;
		46	return (mode << 6) \| (mode << 3) \| mode;
		47	}
		48	return table->mode;
		49	}
		50
38	static struct ctl_table_root net_sysctl_root = {	51	static struct ctl_table_root net_sysctl_root = {
39	.lookup = net_ctl_header_lookup,	52	.lookup = net_ctl_header_lookup,
		53	.permissions = net_ctl_permissions,
40	};	54	};
41		55
42	static LIST_HEAD(net_sysctl_ro_tables);	56	static LIST_HEAD(net_sysctl_ro_tables);