| From foo@baz Sat 18 Apr 2020 11:09:57 AM CEST |
| From: "Michael Weiß" <michael.weiss@aisec.fraunhofer.de> |
| Date: Tue, 7 Apr 2020 13:11:48 +0200 |
| Subject: l2tp: Allow management of tunnels and session in user namespace |
| |
| From: "Michael Weiß" <michael.weiss@aisec.fraunhofer.de> |
| |
| [ Upstream commit 2abe05234f2e892728c388169631e4b99f354c86 ] |
| |
| Creation and management of L2TPv3 tunnels and session through netlink |
| requires CAP_NET_ADMIN. However, a process with CAP_NET_ADMIN in a |
| non-initial user namespace gets an EPERM due to the use of the |
| genetlink GENL_ADMIN_PERM flag. Thus, management of L2TP VPNs inside |
| an unprivileged container won't work. |
| |
| We replaced the GENL_ADMIN_PERM by the GENL_UNS_ADMIN_PERM flag |
| similar to other network modules which also had this problem, e.g., |
| openvswitch (commit 4a92602aa1cd "openvswitch: allow management from |
| inside user namespaces") and nl80211 (commit 5617c6cd6f844 "nl80211: |
| Allow privileged operations from user namespaces"). |
| |
| I tested this in the container runtime trustm3 (trustm3.github.io) |
| and was able to create l2tp tunnels and sessions in unpriviliged |
| (user namespaced) containers using a private network namespace. |
| For other runtimes such as docker or lxc this should work, too. |
| |
| Signed-off-by: Michael Weià <michael.weiss@aisec.fraunhofer.de> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/l2tp/l2tp_netlink.c | 16 ++++++++-------- |
| 1 file changed, 8 insertions(+), 8 deletions(-) |
| |
| --- a/net/l2tp/l2tp_netlink.c |
| +++ b/net/l2tp/l2tp_netlink.c |
| @@ -920,51 +920,51 @@ static const struct genl_ops l2tp_nl_ops |
| .cmd = L2TP_CMD_TUNNEL_CREATE, |
| .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
| .doit = l2tp_nl_cmd_tunnel_create, |
| - .flags = GENL_ADMIN_PERM, |
| + .flags = GENL_UNS_ADMIN_PERM, |
| }, |
| { |
| .cmd = L2TP_CMD_TUNNEL_DELETE, |
| .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
| .doit = l2tp_nl_cmd_tunnel_delete, |
| - .flags = GENL_ADMIN_PERM, |
| + .flags = GENL_UNS_ADMIN_PERM, |
| }, |
| { |
| .cmd = L2TP_CMD_TUNNEL_MODIFY, |
| .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
| .doit = l2tp_nl_cmd_tunnel_modify, |
| - .flags = GENL_ADMIN_PERM, |
| + .flags = GENL_UNS_ADMIN_PERM, |
| }, |
| { |
| .cmd = L2TP_CMD_TUNNEL_GET, |
| .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
| .doit = l2tp_nl_cmd_tunnel_get, |
| .dumpit = l2tp_nl_cmd_tunnel_dump, |
| - .flags = GENL_ADMIN_PERM, |
| + .flags = GENL_UNS_ADMIN_PERM, |
| }, |
| { |
| .cmd = L2TP_CMD_SESSION_CREATE, |
| .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
| .doit = l2tp_nl_cmd_session_create, |
| - .flags = GENL_ADMIN_PERM, |
| + .flags = GENL_UNS_ADMIN_PERM, |
| }, |
| { |
| .cmd = L2TP_CMD_SESSION_DELETE, |
| .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
| .doit = l2tp_nl_cmd_session_delete, |
| - .flags = GENL_ADMIN_PERM, |
| + .flags = GENL_UNS_ADMIN_PERM, |
| }, |
| { |
| .cmd = L2TP_CMD_SESSION_MODIFY, |
| .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
| .doit = l2tp_nl_cmd_session_modify, |
| - .flags = GENL_ADMIN_PERM, |
| + .flags = GENL_UNS_ADMIN_PERM, |
| }, |
| { |
| .cmd = L2TP_CMD_SESSION_GET, |
| .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, |
| .doit = l2tp_nl_cmd_session_get, |
| .dumpit = l2tp_nl_cmd_session_dump, |
| - .flags = GENL_ADMIN_PERM, |
| + .flags = GENL_UNS_ADMIN_PERM, |
| }, |
| }; |
| |