On Wed, 2015-06-17 at 17:59 -0700, Mahesh Bandewar wrote: > Actor and Partner details can be accessed via proc-fs, sys-fs > entries or netlink interface. These interfaces are world readable > at this moment. The earlier patch-series made the LACP communication > secure to avoid nuisance attack from within the same L2 domain but > it did not prevent "someone unprivileged" looking at that information > on host and perform the same act. > > This patch essentially avoids spitting those entries if the user > in question does not have enough privileges. > > Signed-off-by: Mahesh Bandewar <mahe...@google.com> > --- > drivers/net/bonding/bond_netlink.c | 11 ++-- > drivers/net/bonding/bond_procfs.c | 101 > +++++++++++++++++++------------------ > drivers/net/bonding/bond_sysfs.c | 12 ++--- > 3 files changed, 67 insertions(+), 57 deletions(-) > > diff --git a/drivers/net/bonding/bond_netlink.c > b/drivers/net/bonding/bond_netlink.c > index 5580fcde738f..3fd3aa4b145e 100644 > --- a/drivers/net/bonding/bond_netlink.c > +++ b/drivers/net/bonding/bond_netlink.c > @@ -600,18 +600,23 @@ static int bond_fill_info(struct sk_buff *skb, > > if (BOND_MODE(bond) == BOND_MODE_8023AD) { > struct ad_info info; > + u8 zero_mac[ETH_ALEN]; > > + eth_zero_addr(zero_mac); > if (nla_put_u16(skb, IFLA_BOND_AD_ACTOR_SYS_PRIO, > - bond->params.ad_actor_sys_prio)) > + capable(CAP_NET_ADMIN) ? > + bond->params.ad_actor_sys_prio : 0)) > goto nla_put_failure; > > if (nla_put_u16(skb, IFLA_BOND_AD_USER_PORT_KEY, > - bond->params.ad_user_port_key)) > + capable(CAP_NET_ADMIN) ? > + bond->params.ad_user_port_key : 0)) > goto nla_put_failure; > > if (nla_put(skb, IFLA_BOND_AD_ACTOR_SYSTEM, > sizeof(bond->params.ad_actor_system), > - &bond->params.ad_actor_system)) > + capable(CAP_NET_ADMIN) ? > + &bond->params.ad_actor_system : &zero_mac)) > goto nla_put_failure; >
Hmm... I would rather not send these fake attributes at all ? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html