From: Antonio Quartulli <[email protected]> Netlink API calls can be allowed as long as the user has CAP_NET_ADMIN in the source namespace.
There is no need to enforce broader capabilities. Therefore switch to GENL_UNS_ADMIN_PERM for all netlink ops. Closes: https://github.com/OpenVPN/ovpn-net-next/issues/33 Signed-off-by: Antonio Quartulli <[email protected]> --- Documentation/netlink/specs/ovpn.yaml | 16 ++++++++-------- drivers/net/ovpn/netlink-gen.c | 18 +++++++++--------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/Documentation/netlink/specs/ovpn.yaml b/Documentation/netlink/specs/ovpn.yaml index b0c782e59a32..5d1f71b2ff78 100644 --- a/Documentation/netlink/specs/ovpn.yaml +++ b/Documentation/netlink/specs/ovpn.yaml @@ -397,7 +397,7 @@ operations: - name: peer-new attribute-set: ovpn-peer-new-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Add a remote peer do: pre: ovpn-nl-pre-doit @@ -409,7 +409,7 @@ operations: - name: peer-set attribute-set: ovpn-peer-set-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: modify a remote peer do: pre: ovpn-nl-pre-doit @@ -421,7 +421,7 @@ operations: - name: peer-get attribute-set: ovpn - flags: [admin-perm] + flags: [uns-admin-perm] doc: Retrieve data about existing remote peers (or a specific one) do: pre: ovpn-nl-pre-doit @@ -443,7 +443,7 @@ operations: - name: peer-del attribute-set: ovpn-peer-del-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Delete existing remote peer do: pre: ovpn-nl-pre-doit @@ -461,7 +461,7 @@ operations: - name: key-new attribute-set: ovpn - flags: [admin-perm] + flags: [uns-admin-perm] doc: Add a cipher key for a specific peer do: pre: ovpn-nl-pre-doit @@ -473,7 +473,7 @@ operations: - name: key-get attribute-set: ovpn-keyconf-get - flags: [admin-perm] + flags: [uns-admin-perm] doc: Retrieve non-sensitive data about peer key and cipher do: pre: ovpn-nl-pre-doit @@ -488,7 +488,7 @@ operations: - name: key-swap attribute-set: ovpn-keyconf-swap-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Swap primary and secondary session keys for a specific peer do: pre: ovpn-nl-pre-doit @@ -507,7 +507,7 @@ operations: - name: key-del attribute-set: ovpn-keyconf-del-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Delete cipher key for a specific peer do: pre: ovpn-nl-pre-doit diff --git a/drivers/net/ovpn/netlink-gen.c b/drivers/net/ovpn/netlink-gen.c index 2147cec7c2c5..6f1237f65674 100644 --- a/drivers/net/ovpn/netlink-gen.c +++ b/drivers/net/ovpn/netlink-gen.c @@ -179,7 +179,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_new_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_SET, @@ -188,7 +188,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_set_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_GET, @@ -197,14 +197,14 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_get_do_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_GET, .dumpit = ovpn_nl_peer_get_dumpit, .policy = ovpn_peer_get_dump_nl_policy, .maxattr = OVPN_A_IFINDEX, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DUMP, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DUMP, }, { .cmd = OVPN_CMD_PEER_DEL, @@ -213,7 +213,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_del_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_NEW, @@ -222,7 +222,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_new_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_GET, @@ -231,7 +231,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_get_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_SWAP, @@ -240,7 +240,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_swap_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_DEL, @@ -249,7 +249,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_del_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, }; -- 2.53.0 _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
