[PATCH v4 02/12] netlink: check for CAP_NET_ADMIN manually

Sun, 07 Oct 2018 07:13:03 -0700 

---
 src/netlink.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index 56749ba..ca90cdf 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -169,6 +169,7 @@ err:
 static int get_device_start(struct netlink_callback *cb)
 {
        struct nlattr **attrs = genl_family_attrbuf(&genl_family);
+       struct net *dev_net = sock_net(cb->skb->sk);
        struct wireguard_device *wg;
        int ret;
 
@@ -176,6 +177,8 @@ static int get_device_start(struct netlink_callback *cb)
                          genl_family.maxattr, device_policy, NULL);
        if (ret < 0)
                return ret;
+       if (!netlink_ns_capable(cb->skb, dev_net->user_ns, CAP_NET_ADMIN))
+               return -EPERM;
        cb->args[2] = (long)kzalloc(sizeof(struct allowedips_cursor),
                                    GFP_KERNEL);
        if (unlikely(!cb->args[2]))
@@ -477,9 +480,17 @@ out:
 
 static int set_device(struct sk_buff *skb, struct genl_info *info)
 {
-       struct wireguard_device *wg = lookup_interface(info->attrs, skb);
+       struct net *dev_net = sock_net(skb->sk);
+       struct wireguard_device *wg;
        int ret;
 
+       if (!netlink_ns_capable(skb, dev_net->user_ns, CAP_NET_ADMIN)) {
+               ret = -EPERM;
+               goto out_nodev;
+       }
+
+       wg = lookup_interface(info->attrs, skb);
+
        if (IS_ERR(wg)) {
                ret = PTR_ERR(wg);
                goto out_nodev;
@@ -581,12 +592,10 @@ struct genl_ops genl_ops[] = {
                .dumpit = get_device_dump,
                .done = get_device_done,
                .policy = device_policy,
-               .flags = GENL_UNS_ADMIN_PERM
        }, {
                .cmd = WG_CMD_SET_DEVICE,
                .doit = set_device,
                .policy = device_policy,
-               .flags = GENL_UNS_ADMIN_PERM
        }
 };
 
-- 
2.19.0

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Reply via email to