[PATCH] backports: genetlink: add define for GENL_UNS_ADMIN_PERM

[PATCH] backports: genetlink: add define for GENL_UNS_ADMIN_PERM

[Arend van Spriel]

Since commit 5ed071ec9992 ("nl80211: Allow privileged operations
from user namespaces") the definition GENL_UNS_ADMIN_PERM is used
by nl80211.c. Add definition if not defined by target kernel.

Signed-off-by: Arend van Spriel <arend@broadcom.com>
---
Tried to add uapi/linux/genetlink.h, but ended up in inclusion issues that
I did not look into further so instead added the definition in already
existing net/genetlink.h in backport. Feel free to fix otherwise if that
is preferred.

Regards,
Arend
---
 backport/backport-include/net/genetlink.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/backport/backport-include/net/genetlink.h b/backport/backport-include/net/genetlink.h
index 2e0bb3e..49661bb 100644
--- a/backport/backport-include/net/genetlink.h
+++ b/backport/backport-include/net/genetlink.h
@@ -154,4 +154,8 @@ backport_genlmsg_multicast_allns(struct genl_family *family,
 #endif /* < 4.4 */
 #endif /* < 3.13 */
 
+#ifndef GENL_UNS_ADMIN_PERM
+#define GENL_UNS_ADMIN_PERM	0x10
+#endif
+
 #endif /* __BACKPORT_NET_GENETLINK_H */
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe backports" in

Re: [PATCH] backports: genetlink: add define for GENL_UNS_ADMIN_PERM

[Johannes Berg]

On Sun, 2016-05-15 at 11:13 +0200, Arend van Spriel wrote:
> Since commit 5ed071ec9992 ("nl80211: Allow privileged operations
> from user namespaces") the definition GENL_UNS_ADMIN_PERM is used
> by nl80211.c. Add definition if not defined by target kernel.

NACK, this patch is really bad and breaks all security properties since
older kernels will not know anything about the flag 0x10, they will
assume that no permission checks are required.

The only sane thing to do is to
#define GENL_UNS_ADMIN_PERM GENL_ADMIN_PERM

and not get the user-namespace-awareness on kernels that didn't know
about the flag already.

johannes

--
To unsubscribe from this list: send the line "unsubscribe backports" in

Re: [PATCH] backports: genetlink: add define for GENL_UNS_ADMIN_PERM

[Arend Van Spriel]

On 16-5-2016 21:27, Johannes Berg wrote:
> On Sun, 2016-05-15 at 11:13 +0200, Arend van Spriel wrote:
>> Since commit 5ed071ec9992 ("nl80211: Allow privileged operations
>> from user namespaces") the definition GENL_UNS_ADMIN_PERM is used
>> by nl80211.c. Add definition if not defined by target kernel.
> 
> NACK, this patch is really bad and breaks all security properties since
> older kernels will not know anything about the flag 0x10, they will
> assume that no permission checks are required.

Obviously been cutting to many corners here.

> The only sane thing to do is to
> #define GENL_UNS_ADMIN_PERM GENL_ADMIN_PERM
> 
> and not get the user-namespace-awareness on kernels that didn't know
> about the flag already.

Will send a v2 using your suggestion.

Regards,
Arend
--
To unsubscribe from this list: send the line "unsubscribe backports" in