* [PATCH] net: allow SO_MARK with CAP_NET_RAW
@ 2021-11-23 20:37 Maciej Żenczykowski
2021-11-25 3:10 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Maciej Żenczykowski @ 2021-11-23 20:37 UTC (permalink / raw)
To: Maciej Żenczykowski; +Cc: Linux Network Development Mailing List
From: Maciej Żenczykowski <maze@google.com>
A CAP_NET_RAW capable process can already spoof (on transmit) anything
it desires via raw packet sockets... There is no good reason to not
allow it to also be able to play routing tricks on packets from its
own normal sockets.
There is a desire to be able to use SO_MARK for routing table selection
(via ip rule fwmark) from within a user process without having to run
it as root. Granting it CAP_NET_RAW is much less dangerous than
CAP_NET_ADMIN (CAP_NET_RAW doesn't permit persistent state change,
while CAP_NET_ADMIN does - by for example allowing the reconfiguration
of the routing tables and/or bringing up/down devices).
Let's keep CAP_NET_ADMIN for persistent state changes,
while using CAP_NET_RAW for non-configuration related stuff.
Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
net/core/sock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index 1e49a127adef..4a499d255f40 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1281,7 +1281,8 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
clear_bit(SOCK_PASSSEC, &sock->flags);
break;
case SO_MARK:
- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
+ !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
ret = -EPERM;
break;
}
--
2.34.0.rc2.393.gf8c9666880-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] net: allow SO_MARK with CAP_NET_RAW
2021-11-23 20:37 [PATCH] net: allow SO_MARK with CAP_NET_RAW Maciej Żenczykowski
@ 2021-11-25 3:10 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-11-25 3:10 UTC (permalink / raw)
To: =?utf-8?q?Maciej_=C5=BBenczykowski_=3Czenczykowski=40gmail=2Ecom=3E?=
Cc: maze, netdev
Hello:
This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Tue, 23 Nov 2021 12:37:15 -0800 you wrote:
> From: Maciej Żenczykowski <maze@google.com>
>
> A CAP_NET_RAW capable process can already spoof (on transmit) anything
> it desires via raw packet sockets... There is no good reason to not
> allow it to also be able to play routing tricks on packets from its
> own normal sockets.
>
> [...]
Here is the summary with links:
- net: allow SO_MARK with CAP_NET_RAW
https://git.kernel.org/netdev/net-next/c/079925cce1d0
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-11-25 3:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-23 20:37 [PATCH] net: allow SO_MARK with CAP_NET_RAW Maciej Żenczykowski
2021-11-25 3:10 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.