* [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
@ 2016-06-19 5:21 Shanker Wang
2016-06-19 5:24 ` David Miller
2016-06-19 10:13 ` Richard Weinberger
0 siblings, 2 replies; 10+ messages in thread
From: Shanker Wang @ 2016-06-19 5:21 UTC (permalink / raw)
To: netdev
Cc: Hannes Frederic Sowa, Richard Weinberger, Guillaume Nault,
王邈
This patch removes the check for CAP_NET_ADMIN in the initial namespace
when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
namespace the net namespace was created so that /dev/ppp cat get opened
in a unprivileged container.
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Richard Weinberger <richard.weinberger@gmail.com>
Cc: Guillaume Nault <g.nault@alphalink.fr>
Cc: Miao Wang <shankerwangmiao@gmail.com>
Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
---
drivers/net/ppp/ppp_generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index f572b31..4b3b2b5 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
/*
* This could (should?) be enforced by the permissions on /dev/ppp.
*/
- if (!capable(CAP_NET_ADMIN))
+ if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
return -EPERM;
return 0;
}
--
2.5.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
2016-06-19 5:21 [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp Shanker Wang
@ 2016-06-19 5:24 ` David Miller
2016-06-19 5:31 ` Shanker Wang
2016-06-19 10:13 ` Richard Weinberger
1 sibling, 1 reply; 10+ messages in thread
From: David Miller @ 2016-06-19 5:24 UTC (permalink / raw)
To: miao.wang; +Cc: netdev, hannes, richard.weinberger, g.nault, shankerwangmiao
From: Shanker Wang <miao.wang@tuna.tsinghua.edu.cn>
Date: Sun, 19 Jun 2016 07:21:27 +0200
> This patch removes the check for CAP_NET_ADMIN in the initial namespace
> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
> namespace the net namespace was created so that /dev/ppp cat get opened
> in a unprivileged container.
>
> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
> Cc: Richard Weinberger <richard.weinberger@gmail.com>
> Cc: Guillaume Nault <g.nault@alphalink.fr>
> Cc: Miao Wang <shankerwangmiao@gmail.com>
> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
Why are you posting this again?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
2016-06-19 5:24 ` David Miller
@ 2016-06-19 5:31 ` Shanker Wang
0 siblings, 0 replies; 10+ messages in thread
From: Shanker Wang @ 2016-06-19 5:31 UTC (permalink / raw)
To: David Miller; +Cc: netdev, hannes, richard.weinberger, g.nault
> 在 2016年6月19日,07:24,David Miller <davem@davemloft.net> 写道:
>
> From: Shanker Wang <miao.wang@tuna.tsinghua.edu.cn>
> Date: Sun, 19 Jun 2016 07:21:27 +0200
>
>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>> namespace the net namespace was created so that /dev/ppp cat get opened
>> in a unprivileged container.
>>
>> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
>> Cc: Richard Weinberger <richard.weinberger@gmail.com>
>> Cc: Guillaume Nault <g.nault@alphalink.fr>
>> Cc: Miao Wang <shankerwangmiao@gmail.com>
>> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
>
> Why are you posting this again?
Sorry for re-sending this e-mail. But the e-mail address of mine has been
changed. And I haven’t seen this e-mail in several kernel mail list
archives after a night of sleep. I’m wondering if the e-mail is sent
correctly. So I finally decide to re-send this e-mail. Again, I feel
sorry for sending the same thing for two times.
BTW, how can i judge if my e-mail is correctly sent to the mail list?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
2016-06-19 5:21 [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp Shanker Wang
2016-06-19 5:24 ` David Miller
@ 2016-06-19 10:13 ` Richard Weinberger
2016-06-19 10:36 ` Shanker Wang
1 sibling, 1 reply; 10+ messages in thread
From: Richard Weinberger @ 2016-06-19 10:13 UTC (permalink / raw)
To: Shanker Wang, netdev
Cc: Hannes Frederic Sowa, Richard Weinberger, Guillaume Nault,
王邈
Am 19.06.2016 um 07:21 schrieb Shanker Wang:
> This patch removes the check for CAP_NET_ADMIN in the initial namespace
> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
> namespace the net namespace was created so that /dev/ppp cat get opened
> in a unprivileged container.
>
> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
> Cc: Richard Weinberger <richard.weinberger@gmail.com>
> Cc: Guillaume Nault <g.nault@alphalink.fr>
> Cc: Miao Wang <shankerwangmiao@gmail.com>
> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
> ---
> drivers/net/ppp/ppp_generic.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
> index f572b31..4b3b2b5 100644
> --- a/drivers/net/ppp/ppp_generic.c
> +++ b/drivers/net/ppp/ppp_generic.c
> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
> /*
> * This could (should?) be enforced by the permissions on /dev/ppp.
> */
> - if (!capable(CAP_NET_ADMIN))
> + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
> return -EPERM;
Shouldn't this be a ns_capable(net->user_ns, ...?
Otherwise an user can create a new user_ns followed by a new net_ns and has
CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
net_ns which belongs to the ppp net device which you want to open.
Thanks,
//richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
2016-06-19 10:13 ` Richard Weinberger
@ 2016-06-19 10:36 ` Shanker Wang
2016-06-19 10:40 ` Richard Weinberger
0 siblings, 1 reply; 10+ messages in thread
From: Shanker Wang @ 2016-06-19 10:36 UTC (permalink / raw)
To: Richard Weinberger
Cc: netdev, Hannes Frederic Sowa, Richard Weinberger, Guillaume Nault
> 在 2016年6月19日,12:13,Richard Weinberger <richard@nod.at> 写道:
>
> Am 19.06.2016 um 07:21 schrieb Shanker Wang:
>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>> namespace the net namespace was created so that /dev/ppp cat get opened
>> in a unprivileged container.
>>
>> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
>> Cc: Richard Weinberger <richard.weinberger@gmail.com>
>> Cc: Guillaume Nault <g.nault@alphalink.fr>
>> Cc: Miao Wang <shankerwangmiao@gmail.com>
>> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
>> ---
>> drivers/net/ppp/ppp_generic.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
>> index f572b31..4b3b2b5 100644
>> --- a/drivers/net/ppp/ppp_generic.c
>> +++ b/drivers/net/ppp/ppp_generic.c
>> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
>> /*
>> * This could (should?) be enforced by the permissions on /dev/ppp.
>> */
>> - if (!capable(CAP_NET_ADMIN))
>> + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
>> return -EPERM;
>
> Shouldn't this be a ns_capable(net->user_ns, …?
> Otherwise an user can create a new user_ns followed by a new net_ns and has
> CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
> net_ns which belongs to the ppp net device which you want to open.
You are totally right. However, I wonder how can i get the “net” struct when
opening /dev/ppp
>
> Thanks,
> //richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
2016-06-19 10:36 ` Shanker Wang
@ 2016-06-19 10:40 ` Richard Weinberger
2016-07-16 9:41 ` Shanker Wang
0 siblings, 1 reply; 10+ messages in thread
From: Richard Weinberger @ 2016-06-19 10:40 UTC (permalink / raw)
To: Shanker Wang; +Cc: netdev, Hannes Frederic Sowa, Guillaume Nault
Am 19.06.2016 um 12:36 schrieb Shanker Wang:
>
>> 在 2016年6月19日,12:13,Richard Weinberger <richard@nod.at> 写道:
>>
>> Am 19.06.2016 um 07:21 schrieb Shanker Wang:
>>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>>> namespace the net namespace was created so that /dev/ppp cat get opened
>>> in a unprivileged container.
>>>
>>> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
>>> Cc: Richard Weinberger <richard.weinberger@gmail.com>
>>> Cc: Guillaume Nault <g.nault@alphalink.fr>
>>> Cc: Miao Wang <shankerwangmiao@gmail.com>
>>> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
>>> ---
>>> drivers/net/ppp/ppp_generic.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
>>> index f572b31..4b3b2b5 100644
>>> --- a/drivers/net/ppp/ppp_generic.c
>>> +++ b/drivers/net/ppp/ppp_generic.c
>>> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
>>> /*
>>> * This could (should?) be enforced by the permissions on /dev/ppp.
>>> */
>>> - if (!capable(CAP_NET_ADMIN))
>>> + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
>>> return -EPERM;
>>
>> Shouldn't this be a ns_capable(net->user_ns, …?
>> Otherwise an user can create a new user_ns followed by a new net_ns and has
>> CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
>> net_ns which belongs to the ppp net device which you want to open.
> You are totally right. However, I wonder how can i get the “net” struct when
> opening /dev/ppp
I'm sure you can get it somehow via file->private_data.
Thanks,
//richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
2016-06-19 10:40 ` Richard Weinberger
@ 2016-07-16 9:41 ` Shanker Wang
0 siblings, 0 replies; 10+ messages in thread
From: Shanker Wang @ 2016-07-16 9:41 UTC (permalink / raw)
To: Richard Weinberger; +Cc: netdev
Hi Richard,
Sorry for the late reply after dealing with my personal issues.
After reading the code, I find out that when /dev/ppp is opened,
the instance is in “unattached” state and `file->private_data`
is null correspondingly. After creating a new instance, attaching
to a instance or attaching to a channel using ioctl
(ppp_unattached_ioctl), the state is changed to “attached” and
`file->private_data` becomes valid. My opinion is that only
checking capability in `current->nsproxy->net_ns->user_ns` is
enough. The reason is that to create a ppp interface or control a
ppp interface (in short, to “modify” the network configuration),
we should always first create a new instance by opening `/dev/ppp`
and attach it to a unit or so.
As you mentioned, “an user can create a new user_ns followed by
a new net_ns and has CAP_NET_ADMIN”. However, in that case, he can
create new units by `ioctl PPPIOCNEWUNIT` but cannot attach to
units existing in other net_ns by `ioctl PPPIOCATTACH`, because
`ppp_find_unit` can only find unit in the current net_ns.
In spite of that, I have to admit that there is risk that lots
of ppp devices are created filling all kernel memory. I think this
can be avoided by some other methods.
You have mentioned in another reply that “the use of nsproxy has
to be removed” but I don’t understand the reason. In comparison,
I found similar usage of nsproxy in `tun.c`. So could you please
give a more detailed explanation? Thanks!
> 在 2016年6月19日,18:40,Richard Weinberger <richard@nod.at> 写道:
>
> Am 19.06.2016 um 12:36 schrieb Shanker Wang:
>>
>>> 在 2016年6月19日,12:13,Richard Weinberger <richard@nod.at> 写道:
>>>
>>> Am 19.06.2016 um 07:21 schrieb Shanker Wang:
>>>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>>>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>>>> namespace the net namespace was created so that /dev/ppp cat get opened
>>>> in a unprivileged container.
>>>>
>>>> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
>>>> Cc: Richard Weinberger <richard.weinberger@gmail.com>
>>>> Cc: Guillaume Nault <g.nault@alphalink.fr>
>>>> Cc: Miao Wang <shankerwangmiao@gmail.com>
>>>> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
>>>> ---
>>>> drivers/net/ppp/ppp_generic.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
>>>> index f572b31..4b3b2b5 100644
>>>> --- a/drivers/net/ppp/ppp_generic.c
>>>> +++ b/drivers/net/ppp/ppp_generic.c
>>>> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
>>>> /*
>>>> * This could (should?) be enforced by the permissions on /dev/ppp.
>>>> */
>>>> - if (!capable(CAP_NET_ADMIN))
>>>> + if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
>>>> return -EPERM;
>>>
>>> Shouldn't this be a ns_capable(net->user_ns, …?
>>> Otherwise an user can create a new user_ns followed by a new net_ns and has
>>> CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
>>> net_ns which belongs to the ppp net device which you want to open.
>> You are totally right. However, I wonder how can i get the “net” struct when
>> opening /dev/ppp
>
> I'm sure you can get it somehow via file->private_data.
>
> Thanks,
> //richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
2016-06-20 5:02 ` Andi Kleen
@ 2016-06-20 6:47 ` Richard Weinberger
0 siblings, 0 replies; 10+ messages in thread
From: Richard Weinberger @ 2016-06-20 6:47 UTC (permalink / raw)
To: Andi Kleen, Shanker Wang
Cc: netdev, Hannes Frederic Sowa, Richard Weinberger,
Guillaume Nault, Miao Wang
Am 20.06.2016 um 07:02 schrieb Andi Kleen:
> Shanker Wang <shanker@tuna.tsinghua.edu.cn> writes:
>
>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>> namespace the net namespace was created so that /dev/ppp cat get opened
>> in a unprivileged container.
>
> Seems dangerous. From a quick look at the PPP ioctl there is no limit
> how many PPP devices this can create. So a container having access to
> this would be able to fill all kernel memory. Probably needs more
> auditing and hardening first.
>
> In general there seems to be a lot of attack surface for root
> in PPP.
You are right.
Shanker Wang, I had also another at the open function, it is more complicated
than I thought. Please see how ppp_unattached_ioctl() is called.
Before we give containers access to it the use of nsproxy has to be removed.
Not sure how easy this will be, especially since you cannot break existing users.
Thanks,
//richard
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
2016-06-18 23:38 Shanker Wang
@ 2016-06-20 5:02 ` Andi Kleen
2016-06-20 6:47 ` Richard Weinberger
0 siblings, 1 reply; 10+ messages in thread
From: Andi Kleen @ 2016-06-20 5:02 UTC (permalink / raw)
To: Shanker Wang
Cc: netdev, Hannes Frederic Sowa, Richard Weinberger,
Guillaume Nault, Miao Wang
Shanker Wang <shanker@tuna.tsinghua.edu.cn> writes:
> This patch removes the check for CAP_NET_ADMIN in the initial namespace
> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
> namespace the net namespace was created so that /dev/ppp cat get opened
> in a unprivileged container.
Seems dangerous. From a quick look at the PPP ioctl there is no limit
how many PPP devices this can create. So a container having access to
this would be able to fill all kernel memory. Probably needs more
auditing and hardening first.
In general there seems to be a lot of attack surface for root
in PPP.
-Andi
--
ak@linux.intel.com -- Speaking for myself only
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp
@ 2016-06-18 23:38 Shanker Wang
2016-06-20 5:02 ` Andi Kleen
0 siblings, 1 reply; 10+ messages in thread
From: Shanker Wang @ 2016-06-18 23:38 UTC (permalink / raw)
To: netdev
Cc: Hannes Frederic Sowa, Richard Weinberger, Guillaume Nault, Miao Wang
This patch removes the check for CAP_NET_ADMIN in the initial namespace
when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
namespace the net namespace was created so that /dev/ppp cat get opened
in a unprivileged container.
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Richard Weinberger <richard.weinberger@gmail.com>
Cc: Guillaume Nault <g.nault@alphalink.fr>
Cc: Miao Wang <shankerwangmiao@gmail.com>
Signed-off-by: Miao Wang <shanker@tuna.tsinghua.edu.cn>
---
drivers/net/ppp/ppp_generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index f572b31..4b3b2b5 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
/*
* This could (should?) be enforced by the permissions on /dev/ppp.
*/
- if (!capable(CAP_NET_ADMIN))
+ if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
return -EPERM;
return 0;
}
--
2.5.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-07-16 9:42 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-19 5:21 [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp Shanker Wang
2016-06-19 5:24 ` David Miller
2016-06-19 5:31 ` Shanker Wang
2016-06-19 10:13 ` Richard Weinberger
2016-06-19 10:36 ` Shanker Wang
2016-06-19 10:40 ` Richard Weinberger
2016-07-16 9:41 ` Shanker Wang
-- strict thread matches above, loose matches on Subject: below --
2016-06-18 23:38 Shanker Wang
2016-06-20 5:02 ` Andi Kleen
2016-06-20 6:47 ` Richard Weinberger
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.