[PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[Shanker Wang]

This patch removes the check for CAP_NET_ADMIN in the initial namespace
when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
namespace the net namespace was created so that /dev/ppp cat get opened
in a unprivileged container.

Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Richard Weinberger <richard.weinberger@gmail.com>
Cc: Guillaume Nault <g.nault@alphalink.fr>
Cc: Miao Wang <shankerwangmiao@gmail.com>
Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
---
drivers/net/ppp/ppp_generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index f572b31..4b3b2b5 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
	/*
	 * This could (should?) be enforced by the permissions on /dev/ppp.
	 */
-	if (!capable(CAP_NET_ADMIN))
+	if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
		return -EPERM;
	return 0;
}
-- 
2.5.2

Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[David Miller]

From: Shanker Wang <miao.wang@tuna.tsinghua.edu.cn>
Date: Sun, 19 Jun 2016 07:21:27 +0200

> This patch removes the check for CAP_NET_ADMIN in the initial namespace
> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
> namespace the net namespace was created so that /dev/ppp cat get opened
> in a unprivileged container.
> 
> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
> Cc: Richard Weinberger <richard.weinberger@gmail.com>
> Cc: Guillaume Nault <g.nault@alphalink.fr>
> Cc: Miao Wang <shankerwangmiao@gmail.com>
> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>

Why are you posting this again?

Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[Shanker Wang]

> 在 2016年6月19日，07:24，David Miller <davem@davemloft.net> 写道：
> 
> From: Shanker Wang <miao.wang@tuna.tsinghua.edu.cn>
> Date: Sun, 19 Jun 2016 07:21:27 +0200
> 
>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>> namespace the net namespace was created so that /dev/ppp cat get opened
>> in a unprivileged container.
>> 
>> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
>> Cc: Richard Weinberger <richard.weinberger@gmail.com>
>> Cc: Guillaume Nault <g.nault@alphalink.fr>
>> Cc: Miao Wang <shankerwangmiao@gmail.com>
>> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
> 
> Why are you posting this again?

Sorry for re-sending this e-mail. But the e-mail address of mine has been 
changed. And I haven’t seen this e-mail in several kernel mail list 
archives after a night of sleep. I’m wondering if the e-mail is sent
correctly. So I finally decide to re-send this e-mail. Again, I feel
sorry for sending the same thing for two times.

BTW, how can i judge if my e-mail is correctly sent to the mail list?

Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[Richard Weinberger]

Am 19.06.2016 um 07:21 schrieb Shanker Wang:
> This patch removes the check for CAP_NET_ADMIN in the initial namespace
> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
> namespace the net namespace was created so that /dev/ppp cat get opened
> in a unprivileged container.
> 
> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
> Cc: Richard Weinberger <richard.weinberger@gmail.com>
> Cc: Guillaume Nault <g.nault@alphalink.fr>
> Cc: Miao Wang <shankerwangmiao@gmail.com>
> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
> ---
> drivers/net/ppp/ppp_generic.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
> index f572b31..4b3b2b5 100644
> --- a/drivers/net/ppp/ppp_generic.c
> +++ b/drivers/net/ppp/ppp_generic.c
> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
> 	/*
> 	 * This could (should?) be enforced by the permissions on /dev/ppp.
> 	 */
> -	if (!capable(CAP_NET_ADMIN))
> +	if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
> 		return -EPERM;

Shouldn't this be a ns_capable(net->user_ns, ...?
Otherwise an user can create a new user_ns followed by a new net_ns and has
CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
net_ns which belongs to the ppp net device which you want to open.

Thanks,
//richard

Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[Shanker Wang]

> 在 2016年6月19日，12:13，Richard Weinberger <richard@nod.at> 写道：
> 
> Am 19.06.2016 um 07:21 schrieb Shanker Wang:
>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>> namespace the net namespace was created so that /dev/ppp cat get opened
>> in a unprivileged container.
>> 
>> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
>> Cc: Richard Weinberger <richard.weinberger@gmail.com>
>> Cc: Guillaume Nault <g.nault@alphalink.fr>
>> Cc: Miao Wang <shankerwangmiao@gmail.com>
>> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
>> ---
>> drivers/net/ppp/ppp_generic.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
>> index f572b31..4b3b2b5 100644
>> --- a/drivers/net/ppp/ppp_generic.c
>> +++ b/drivers/net/ppp/ppp_generic.c
>> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
>> 	/*
>> 	 * This could (should?) be enforced by the permissions on /dev/ppp.
>> 	 */
>> -	if (!capable(CAP_NET_ADMIN))
>> +	if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
>> 		return -EPERM;
> 
> Shouldn't this be a ns_capable(net->user_ns, …?
> Otherwise an user can create a new user_ns followed by a new net_ns and has
> CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
> net_ns which belongs to the ppp net device which you want to open.
You are totally right. However, I wonder how can i get the “net” struct when 
opening /dev/ppp
> 
> Thanks,
> //richard

Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[Richard Weinberger]

Am 19.06.2016 um 12:36 schrieb Shanker Wang:
> 
>> 在 2016年6月19日，12:13，Richard Weinberger <richard@nod.at> 写道：
>>
>> Am 19.06.2016 um 07:21 schrieb Shanker Wang:
>>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>>> namespace the net namespace was created so that /dev/ppp cat get opened
>>> in a unprivileged container.
>>>
>>> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
>>> Cc: Richard Weinberger <richard.weinberger@gmail.com>
>>> Cc: Guillaume Nault <g.nault@alphalink.fr>
>>> Cc: Miao Wang <shankerwangmiao@gmail.com>
>>> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
>>> ---
>>> drivers/net/ppp/ppp_generic.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
>>> index f572b31..4b3b2b5 100644
>>> --- a/drivers/net/ppp/ppp_generic.c
>>> +++ b/drivers/net/ppp/ppp_generic.c
>>> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
>>> 	/*
>>> 	 * This could (should?) be enforced by the permissions on /dev/ppp.
>>> 	 */
>>> -	if (!capable(CAP_NET_ADMIN))
>>> +	if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
>>> 		return -EPERM;
>>
>> Shouldn't this be a ns_capable(net->user_ns, …?
>> Otherwise an user can create a new user_ns followed by a new net_ns and has
>> CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
>> net_ns which belongs to the ppp net device which you want to open.
> You are totally right. However, I wonder how can i get the “net” struct when 
> opening /dev/ppp

I'm sure you can get it somehow via file->private_data.

Thanks,
//richard

Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[Shanker Wang]

Hi Richard,

Sorry for the late reply after dealing with my personal issues.

After reading the code, I find out that when /dev/ppp is opened, 
the instance is in “unattached” state and `file->private_data`
is null correspondingly. After creating a new instance, attaching
to a instance or attaching to a channel using ioctl 
(ppp_unattached_ioctl), the state is changed to “attached” and 
`file->private_data` becomes valid. My opinion is that only 
checking capability in `current->nsproxy->net_ns->user_ns` is 
enough. The reason is that to create a ppp interface or control a
 ppp interface (in short, to “modify” the network configuration),
we should always first create a new instance by opening `/dev/ppp` 
and attach it to a unit or so. 

As you mentioned, “an user can create a new user_ns followed by 
a new net_ns and has CAP_NET_ADMIN”. However, in that case, he can 
create new units by `ioctl PPPIOCNEWUNIT` but cannot attach to 
units existing in other net_ns by `ioctl PPPIOCATTACH`, because 
`ppp_find_unit` can only find unit in the current net_ns.

In spite of that, I have to admit that there is risk that lots 
of ppp devices are created filling all kernel memory. I think this
can be avoided by some other methods.

You have mentioned in another reply that “the use of nsproxy has
to be removed” but I don’t understand the reason. In comparison,
I found similar usage of nsproxy in `tun.c`. So could you please
give a more detailed explanation? Thanks!


> 在 2016年6月19日，18:40，Richard Weinberger <richard@nod.at> 写道：
> 
> Am 19.06.2016 um 12:36 schrieb Shanker Wang:
>> 
>>> 在 2016年6月19日，12:13，Richard Weinberger <richard@nod.at> 写道：
>>> 
>>> Am 19.06.2016 um 07:21 schrieb Shanker Wang:
>>>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>>>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>>>> namespace the net namespace was created so that /dev/ppp cat get opened
>>>> in a unprivileged container.
>>>> 
>>>> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
>>>> Cc: Richard Weinberger <richard.weinberger@gmail.com>
>>>> Cc: Guillaume Nault <g.nault@alphalink.fr>
>>>> Cc: Miao Wang <shankerwangmiao@gmail.com>
>>>> Signed-off-by: Miao Wang <miao.wang@tuna.tsinghua.edu.cn>
>>>> ---
>>>> drivers/net/ppp/ppp_generic.c | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>> 
>>>> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
>>>> index f572b31..4b3b2b5 100644
>>>> --- a/drivers/net/ppp/ppp_generic.c
>>>> +++ b/drivers/net/ppp/ppp_generic.c
>>>> @@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
>>>> 	/*
>>>> 	 * This could (should?) be enforced by the permissions on /dev/ppp.
>>>> 	 */
>>>> -	if (!capable(CAP_NET_ADMIN))
>>>> +	if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
>>>> 		return -EPERM;
>>> 
>>> Shouldn't this be a ns_capable(net->user_ns, …?
>>> Otherwise an user can create a new user_ns followed by a new net_ns and has
>>> CAP_NET_ADMIN. We need to check whether he is allowed in the user_ns of the
>>> net_ns which belongs to the ppp net device which you want to open.
>> You are totally right. However, I wonder how can i get the “net” struct when 
>> opening /dev/ppp
> 
> I'm sure you can get it somehow via file->private_data.
> 
> Thanks,
> //richard

Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[Richard Weinberger]

Am 20.06.2016 um 07:02 schrieb Andi Kleen:
> Shanker Wang <shanker@tuna.tsinghua.edu.cn> writes:
> 
>> This patch removes the check for CAP_NET_ADMIN in the initial namespace
>> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
>> namespace the net namespace was created so that /dev/ppp cat get opened
>> in a unprivileged container.
> 
> Seems dangerous. From a quick look at the PPP ioctl there is no limit
> how many PPP devices this can create. So a container having access to
> this would be able to fill all kernel memory. Probably needs more
> auditing and hardening first.
> 
> In general there seems to be a lot of attack surface for root
> in PPP.

You are right.
Shanker Wang, I had also another at the open function, it is more complicated
than I thought. Please see how ppp_unattached_ioctl() is called.
Before we give containers access to it the use of nsproxy has to be removed.
Not sure how easy this will be, especially since you cannot break existing users.

Thanks,
//richard

Re: [PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[Andi Kleen]

Shanker Wang <shanker@tuna.tsinghua.edu.cn> writes:

> This patch removes the check for CAP_NET_ADMIN in the initial namespace
> when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
> namespace the net namespace was created so that /dev/ppp cat get opened
> in a unprivileged container.

Seems dangerous. From a quick look at the PPP ioctl there is no limit
how many PPP devices this can create. So a container having access to
this would be able to fill all kernel memory. Probably needs more
auditing and hardening first.

In general there seems to be a lot of attack surface for root
in PPP.

-Andi

-- 
ak@linux.intel.com -- Speaking for myself only

[PATCH] net:ppp: replace too strict capability restriction on opening /dev/ppp

[Shanker Wang]

This patch removes the check for CAP_NET_ADMIN in the initial namespace
when opening /dev/open. Instead, CAP_NET_ADMIN is checked in the user
namespace the net namespace was created so that /dev/ppp cat get opened
in a unprivileged container.

Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Richard Weinberger <richard.weinberger@gmail.com>
Cc: Guillaume Nault <g.nault@alphalink.fr>
Cc: Miao Wang <shankerwangmiao@gmail.com>
Signed-off-by: Miao Wang <shanker@tuna.tsinghua.edu.cn>
---
 drivers/net/ppp/ppp_generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index f572b31..4b3b2b5 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -380,7 +380,7 @@ static int ppp_open(struct inode *inode, struct file *file)
 	/*
 	 * This could (should?) be enforced by the permissions on /dev/ppp.
 	 */
-	if (!capable(CAP_NET_ADMIN))
+	if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
 		return -EPERM;
 	return 0;
 }
-- 
2.5.2