diff mbox series

[net-next] net: align SO_RCVMARK required privileges with SO_MARK

Message ID 20220504095459.2663513-1-eyal.birger@gmail.com (mailing list archive)
State Accepted
Commit 1f86123b97491cc2b5071d7f9933f0e91890c976
Delegated to: Netdev Maintainers
Headers show
Series [net-next] net: align SO_RCVMARK required privileges with SO_MARK | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 6 this patch: 6
netdev/cc_maintainers success CCed 8 of 8 maintainers
netdev/build_clang success Errors and warnings before: 9 this patch: 9
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 6 this patch: 6
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 12 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Eyal Birger May 4, 2022, 9:54 a.m. UTC 
The commit referenced in the "Fixes" tag added the SO_RCVMARK socket
option for receiving the skb mark in the ancillary data.

Since this is a new capability, and exposes admin configured details
regarding the underlying network setup to sockets, let's align the
needed capabilities with those of SO_MARK.

Fixes: 6fd1d51cfa25 ("net: SO_RCVMARK socket option for SO_MARK with recvmsg()")
Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
---
 net/core/sock.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Jakub Kicinski May 5, 2022, 10:51 p.m. UTC | #1 
On Wed,  4 May 2022 12:54:59 +0300 Eyal Birger wrote:
> The commit referenced in the "Fixes" tag added the SO_RCVMARK socket
> option for receiving the skb mark in the ancillary data.
> 
> Since this is a new capability, and exposes admin configured details
> regarding the underlying network setup to sockets, let's align the
> needed capabilities with those of SO_MARK.
> 
> Fixes: 6fd1d51cfa25 ("net: SO_RCVMARK socket option for SO_MARK with recvmsg()")
> Signed-off-by: Eyal Birger <eyal.birger@gmail.com>

It's not really as bad as the ability to set the mark, but since 
Erin is not complaining I assume it's fine with their use case.
patchwork-bot+netdevbpf@kernel.org May 6, 2022, 1:20 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed,  4 May 2022 12:54:59 +0300 you wrote:
> The commit referenced in the "Fixes" tag added the SO_RCVMARK socket
> option for receiving the skb mark in the ancillary data.
> 
> Since this is a new capability, and exposes admin configured details
> regarding the underlying network setup to sockets, let's align the
> needed capabilities with those of SO_MARK.
> 
> [...]

Here is the summary with links:
  - [net-next] net: align SO_RCVMARK required privileges with SO_MARK
    https://git.kernel.org/netdev/net-next/c/1f86123b9749

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/core/sock.c b/net/core/sock.c
index be20a1af20e5..6b287eb5427b 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1315,6 +1315,12 @@  int sock_setsockopt(struct socket *sock, int level, int optname,
 		__sock_set_mark(sk, val);
 		break;
 	case SO_RCVMARK:
+		if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
+		    !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+			ret = -EPERM;
+			break;
+		}
+
 		sock_valbool_flag(sk, SOCK_RCVMARK, valbool);
 		break;