[v1,4/5] connector/cn_proc: Allow non-root users access

Commit Message

Anjali Kulkarni March 10, 2023, 10:15 p.m. UTC

There were a couple of reasons for not allowing non-root users access
initially  - one is there was some point no proper receive buffer
management in place for netlink multicast. But that should be long
fixed. See link below for more context.

Second is that some of the messages may contain data that is root only. But
this should be handled with a finer granularity, which is being done at the
protocol layer.  The only problematic protocols are nf_queue and the
firewall netlink. Hence, this restriction for non-root access was relaxed
for NETLINK_ROUTE initially:
https://lore.kernel.org/all/20020612013101.A22399@wotan.suse.de/

This restriction has also been removed for following protocols:
NETLINK_KOBJECT_UEVENT, NETLINK_AUDIT, NETLINK_SOCK_DIAG,
NETLINK_GENERIC, NETLINK_SELINUX.

Since process connector messages are not sensitive (process fork, exit
notifications etc.), and anyone can read /proc data, we can allow non-root
access here. However, since process event notification is not the only
consumer of NETWORK_CONNECTOR, we can make this change even more
fine grained than the protocol level, by checking for multicast group
within the protocol.

Added a new function netlink_multicast_allowed(), which checks if the
protocol is NETWORK_CONNECTOR, and if multicast group is CN_IDX_PROC
(process event notification) - if so, then allow non-root acceess. For
other multicast groups of NETWORK_CONNECTOR, do not allow non-root
access.

Reason we need this change is we cannot run our DB application as root.

Signed-off-by: Anjali Kulkarni <anjali.k.kulkarni@oracle.com>
---
 drivers/connector/cn_proc.c |  7 -------
 net/netlink/af_netlink.c    | 13 ++++++++++++-
 2 files changed, 12 insertions(+), 8 deletions(-)

Patch

diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
index 84f38d2bd4b9..4ff7f8635a6b 100644
--- a/drivers/connector/cn_proc.c
+++ b/drivers/connector/cn_proc.c
@@ -375,12 +375,6 @@  static void cn_proc_mcast_ctl(struct cn_msg *msg,
 	    !task_is_in_init_pid_ns(current))
 		return;
 
-	/* Can only change if privileged. */
-	if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) {
-		err = EPERM;
-		goto out;
-	}
-
 	if (msg->len == sizeof(mc_op))
 		mc_op = *((enum proc_cn_mcast_op *)msg->data);
 	else
@@ -413,7 +407,6 @@  static void cn_proc_mcast_ctl(struct cn_msg *msg,
 		break;
 	}
 
-out:
 	cn_proc_ack(err, msg->seq, msg->ack);
 }
 
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index b311375b8c4c..ae30ec678ad9 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -939,6 +939,16 @@  bool netlink_net_capable(const struct sk_buff *skb, int cap)
 }
 EXPORT_SYMBOL(netlink_net_capable);
 
+static inline bool netlink_multicast_allowed(const struct socket *sock,
+					     unsigned long groups)
+{
+	if (sock->sk->sk_protocol == NETLINK_CONNECTOR) {
+		if (test_bit(CN_IDX_PROC - 1, &groups))
+			return true;
+	}
+	return false;
+}
+
 static inline int netlink_allowed(const struct socket *sock, unsigned int flag)
 {
 	return (nl_table[sock->sk->sk_protocol].flags & flag) ||
@@ -1025,7 +1035,8 @@  static int netlink_bind(struct socket *sock, struct sockaddr *addr,
 	/* Only superuser is allowed to listen multicasts */
 	if (groups) {
 		if (!netlink_allowed(sock, NL_CFG_F_NONROOT_RECV))
-			return -EPERM;
+			if (!netlink_multicast_allowed(sock, groups))
+				return -EPERM;
 		err = netlink_realloc_groups(sk);
 		if (err)
 			return err;