Re: [PATCH] backports: genetlink: add define for GENL_UNS_ADMIN_PERM

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Johannes Berg <johannes@sipsolutions.net>
To: Arend van Spriel <arend@broadcom.com>,
	"Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: backports@vger.kernel.org
Subject: Re: [PATCH] backports: genetlink: add define for GENL_UNS_ADMIN_PERM
Date: Mon, 16 May 2016 21:27:58 +0200	[thread overview]
Message-ID: <1463426878.2179.5.camel@sipsolutions.net> (raw)
In-Reply-To: <1463303597-32397-1-git-send-email-arend@broadcom.com> (sfid-20160515_111325_348941_B121C38D)

On Sun, 2016-05-15 at 11:13 +0200, Arend van Spriel wrote:
> Since commit 5ed071ec9992 ("nl80211: Allow privileged operations
> from user namespaces") the definition GENL_UNS_ADMIN_PERM is used
> by nl80211.c. Add definition if not defined by target kernel.

NACK, this patch is really bad and breaks all security properties since
older kernels will not know anything about the flag 0x10, they will
assume that no permission checks are required.

The only sane thing to do is to
#define GENL_UNS_ADMIN_PERM GENL_ADMIN_PERM

and not get the user-namespace-awareness on kernels that didn't know
about the flag already.

johannes

--
To unsubscribe from this list: send the line "unsubscribe backports" in

next prev parent reply	other threads:[~2016-05-16 19:28 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-15  9:13 [PATCH] backports: genetlink: add define for GENL_UNS_ADMIN_PERM Arend van Spriel
2016-05-16 19:27 ` Johannes Berg [this message]
2016-05-17  9:03   ` Arend Van Spriel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1463426878.2179.5.camel@sipsolutions.net \
    --to=johannes@sipsolutions.net \
    --cc=arend@broadcom.com \
    --cc=backports@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.