From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
Cc: netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
Subject: [PATCH net-next 0/17] Make the network stack usable by userns root
Date: Fri, 16 Nov 2012 05:01:44 -0800 [thread overview]
Message-ID: <87d2zd8zwn.fsf@xmission.com> (raw)
In a secondary user namespace the root user only has CAP_NET_ADMIN,
CAP_NET_RAW and CAP_NET_BIND_SERVICE with respect to the secondary user
namespace. The test "capable(CAP_NET_ADMIN)" tests for capabilities in
the initial user namespace.
The following set of patches goes through the networking stack. First
pushing the capable(CAP_NET_ADMIN) admin calls down farther in the stack
so individual instances can be changed. Then where I have I it appears
safe I have relaxed the permission checks.
The code is available in git from:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git netns-v73
The netns-v73 branch is against v3.7-rc3 and merges cleanly with net-next.
In my user namespace tree I am working to allow unprivileged users to
create user namespace, and to allow the user namespace root able to
create network namespaces. Making these patches really about allowing
unprivileged users able to use the networking stack (not that they will
be able to talk to anyone).
David I have some small dependencies on the first two patches of this
series in my later user namespace work. So after these changes have
been reviewed if you can pull my netns-v73 branch (which is just these
patches) into net-next that will help me avoid unnecessary conflicts.
Eric
Eric W. Biederman (16):
netns: Deduplicate and fix copy_net_ns when !CONFIG_NET_NS
userns: make each net (net_ns) belong to a user_ns
sysctl: Pass useful parameters to sysctl permissions
net: Don't export sysctls to unprivileged users
net: Push capable(CAP_NET_ADMIN) into the rtnl methods
net: Update the per network namespace sysctls to be available to the network namespace owner
net: Allow userns root to force the scm creds
net: Allow userns root control of the core of the network stack.
net: Allow userns root to control ipv4
net: Allow userns root to control ipv6
net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm
net: Allow userns root to control the network bridge code.
net: Allow the userns root to control vlans.
net: Enable some sysctls that are safe for the userns root
net: Enable a userns root rtnl calls that are safe for unprivilged users
net: Make CAP_NET_BIND_SERVICE per user namespace
Zhao Hongjiang (1):
user_ns: get rid of duplicate code in net_ctl_permissions
fs/proc/proc_sysctl.c | 9 +++++----
include/linux/sysctl.h | 3 +--
include/net/net_namespace.h | 24 ++++++++++++++++--------
kernel/nsproxy.c | 2 +-
net/8021q/vlan.c | 12 ++++++------
net/bridge/br_ioctl.c | 25 +++++++++++++------------
net/bridge/br_sysfs_br.c | 10 +++++-----
net/bridge/br_sysfs_if.c | 2 +-
net/can/gw.c | 6 ++++++
net/core/dev.c | 17 +++++++++++++----
net/core/ethtool.c | 2 +-
net/core/neighbour.c | 4 ++++
net/core/net-sysfs.c | 15 ++++++++++-----
net/core/net_namespace.c | 23 ++++++++++++-----------
net/core/rtnetlink.c | 12 +++++++++++-
net/core/scm.c | 6 +++---
net/core/sock.c | 7 ++++---
net/core/sysctl_net_core.c | 5 +++++
net/dcb/dcbnl.c | 3 +++
net/decnet/dn_dev.c | 6 ++++++
net/decnet/dn_fib.c | 6 ++++++
net/ipv4/af_inet.c | 9 ++++++---
net/ipv4/arp.c | 2 +-
net/ipv4/devinet.c | 4 ++--
net/ipv4/fib_frontend.c | 2 +-
net/ipv4/ip_fragment.c | 4 ++++
net/ipv4/ip_gre.c | 4 ++--
net/ipv4/ip_options.c | 6 +++---
net/ipv4/ip_sockglue.c | 5 +++--
net/ipv4/ip_vti.c | 4 ++--
net/ipv4/ipip.c | 4 ++--
net/ipv4/ipmr.c | 2 +-
net/ipv4/netfilter/arp_tables.c | 8 ++++----
net/ipv4/netfilter/ip_tables.c | 8 ++++----
net/ipv4/route.c | 4 ++++
net/ipv4/sysctl_net_ipv4.c | 3 +++
net/ipv4/tcp.c | 2 +-
net/ipv4/tcp_cong.c | 3 ++-
net/ipv6/addrconf.c | 4 ++--
net/ipv6/af_inet6.c | 5 +++--
net/ipv6/anycast.c | 2 +-
net/ipv6/datagram.c | 6 +++---
net/ipv6/ip6_flowlabel.c | 3 ++-
net/ipv6/ip6_gre.c | 4 ++--
net/ipv6/ip6_tunnel.c | 4 ++--
net/ipv6/ip6mr.c | 2 +-
net/ipv6/ipv6_sockglue.c | 7 ++++---
net/ipv6/netfilter/ip6_tables.c | 8 ++++----
net/ipv6/reassembly.c | 4 ++++
net/ipv6/route.c | 6 +++++-
net/ipv6/sit.c | 8 ++++----
net/key/af_key.c | 2 +-
net/llc/af_llc.c | 2 +-
net/netfilter/ipset/ip_set_core.c | 2 +-
net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++++--
net/netfilter/ipvs/ip_vs_lblc.c | 7 ++++++-
net/netfilter/ipvs/ip_vs_lblcr.c | 4 ++++
net/netfilter/nf_conntrack_acct.c | 4 ++++
net/netfilter/nf_conntrack_ecache.c | 4 ++++
net/netfilter/nf_conntrack_helper.c | 4 ++++
net/netfilter/nf_conntrack_proto_dccp.c | 8 ++++++--
net/netfilter/nf_conntrack_standalone.c | 4 ++++
net/netfilter/nf_conntrack_timestamp.c | 4 ++++
net/netfilter/nfnetlink.c | 2 +-
net/netlink/af_netlink.c | 2 +-
net/packet/af_packet.c | 2 +-
net/phonet/pn_netlink.c | 6 ++++++
net/sched/act_api.c | 3 +++
net/sched/cls_api.c | 2 ++
net/sched/sch_api.c | 9 +++++++++
net/sctp/socket.c | 8 +++++---
net/sysctl_net.c | 15 ++++++++++++---
net/unix/sysctl_net_unix.c | 4 ++++
net/xfrm/xfrm_sysctl.c | 4 ++++
net/xfrm/xfrm_user.c | 2 +-
75 files changed, 308 insertions(+), 140 deletions(-)
next reply other threads:[~2012-11-16 13:01 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-16 13:01 Eric W. Biederman [this message]
2012-11-19 3:26 ` [PATCH net-next 0/17] Make the network stack usable by userns root David Miller
[not found] ` <20121118.222601.1683927229305655885.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2012-11-19 7:27 ` Eric W. Biederman
[not found] ` <87haomkq7q.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 18:52 ` David Miller
[not found] ` <87d2zd8zwn.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-16 13:02 ` [PATCH net-next 01/17] netns: Deduplicate and fix copy_net_ns when !CONFIG_NET_NS Eric W. Biederman
2012-11-16 13:02 ` [PATCH net-next 02/17] userns: make each net (net_ns) belong to a user_ns Eric W. Biederman
[not found] ` <1353070992-5552-1-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-16 13:02 ` Eric W. Biederman
2012-11-16 13:02 ` [PATCH net-next 03/17] sysctl: Pass useful parameters to sysctl permissions Eric W. Biederman
2012-11-16 13:02 ` [PATCH net-next 04/17] net: Don't export sysctls to unprivileged users Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 05/17] net: Push capable(CAP_NET_ADMIN) into the rtnl methods Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 06/17] net: Update the per network namespace sysctls to be available to the network namespace owner Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 07/17] user_ns: get rid of duplicate code in net_ctl_permissions Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 08/17] net: Allow userns root to force the scm creds Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 09/17] net: Allow userns root control of the core of the network stack Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 10/17] net: Allow userns root to control ipv4 Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 11/17] net: Allow userns root to control ipv6 Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 12/17] net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 13/17] net: Allow userns root to control the network bridge code Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 14/17] net: Allow the userns root to control vlans Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 15/17] net: Enable some sysctls that are safe for the userns root Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 16/17] net: Enable a userns root rtnl calls that are safe for unprivilged users Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 17/17] net: Make CAP_NET_BIND_SERVICE per user namespace Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 09/17] net: Allow userns root control of the core of the network stack Eric W. Biederman
[not found] ` <1353070992-5552-9-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-16 13:55 ` Glauber Costa
2012-11-16 14:32 ` Eric W. Biederman
[not found] ` <871uft8vpm.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-17 0:28 ` Ben Hutchings
[not found] ` <1353112116.2743.79.camel-/LGg1Z1CJKReKY3V0RtoKmatzQS1i7+A3tAM5lWOD0I@public.gmane.org>
2012-11-17 2:46 ` Eric W. Biederman
[not found] ` <87lie13q18.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-21 18:29 ` Ben Hutchings
[not found] ` <50A645C2.1000604-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-11-16 14:32 ` Eric W. Biederman
2012-11-16 13:03 ` [PATCH net-next 13/17] net: Allow userns root to control the network bridge code Eric W. Biederman
2012-11-19 3:26 ` [PATCH net-next 0/17] Make the network stack usable by userns root David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d2zd8zwn.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.