From patchwork Sun Nov 17 09:05:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: stsp X-Patchwork-Id: 13877813 X-Patchwork-Delegate: kuba@kernel.org Received: from forward103a.mail.yandex.net (forward103a.mail.yandex.net [178.154.239.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75C92DDD2; Sun, 17 Nov 2024 09:05:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.86 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731834335; cv=none; b=uaFVSyGDzljxZqgmEWGs+R1msOPVVt0TzhWPQfWBJ6uXayL82+3VWDL7vOeVxkD4LChy1LW6NtdI3+8ElSMFS2+beeaUXnXuMeZKqrWDN5MwlXhdtkH3DsdVWmyT6rf9XUHVwGgcierh8KP/xdYHyjGLYmRuB6li1qVMI0sUJyM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731834335; c=relaxed/simple; bh=21Ja/cW+nuYGvUjhuMbMplc1F2C3v6Jt1NUkmdyCWxU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=uVIUObcsJtbz2jjag7AMu5+M1SXBULk3XrnMRUrWadJHp1pf4uYqO7dIRX/rIblIuD0l7iwQ6CEIKa+49cj8K2GvwCfCHcvEvJyqZJen2Ij7k4hueWcYPy3ogDd3BaforZX6KtptxhyZwI1xUztM4A6soeNT9LEYkk/K/Tppn4k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru; spf=pass smtp.mailfrom=yandex.ru; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b=nxCPSZ9p; arc=none smtp.client-ip=178.154.239.86 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=yandex.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yandex.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yandex.ru header.i=@yandex.ru header.b="nxCPSZ9p" Received: from mail-nwsmtp-smtp-production-main-85.iva.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-85.iva.yp-c.yandex.net [IPv6:2a02:6b8:c0c:5c05:0:640:fb47:0]) by forward103a.mail.yandex.net (Yandex) with ESMTPS id 5F42160C79; Sun, 17 Nov 2024 12:05:23 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-85.iva.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id L5LP4n8Oq4Y0-NMAcqhFJ; Sun, 17 Nov 2024 12:05:22 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1731834322; bh=9DY/S36QSTTF6M19/iItAnGmg366WApJ9ys6nHJqW9g=; h=Message-ID:Date:Cc:Subject:To:From; b=nxCPSZ9pSGUhe45L+iylBUI2wbHxCPqY9EZoUZ61EWEmOlJ5KTopWTrs9N6O1MPcQ nx5Ko964NaSsS+iJS9gW1oJbhKZIYc6IqgfqmnJTlVhIhfCVL+mkNxlvlLUcasrIEF HSVsGX0ACBj1VQfwS6AsnKQCeH9Xduu1kY+K3W2I= Authentication-Results: mail-nwsmtp-smtp-production-main-85.iva.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Stas Sergeev To: linux-kernel@vger.kernel.org Cc: Stas Sergeev , Willem de Bruijn , Jason Wang , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , netdev@vger.kernel.org Subject: [PATCH net-next] tun: fix group permission check Date: Sun, 17 Nov 2024 12:05:14 +0300 Message-ID: <20241117090514.9386-1-stsp2@yandex.ru> X-Mailer: git-send-email 2.47.0 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Currently tun checks the group permission even if the user have matched. Besides going against the usual permission semantic, this has a very interesting implication: if the tun group is not among the supplementary groups of the tun user, then effectively no one can access the tun device. CAP_SYS_ADMIN still can, but its the same as not setting the tun ownership. This patch relaxes the group checking so that either the user match or the group match is enough. This avoids the situation when no one can access the device even though the ownership is properly set. Also I simplified the logic by removing the redundant inversions: tun_not_capable() --> !tun_capable() Signed-off-by: Stas Sergeev CC: Willem de Bruijn CC: Jason Wang CC: Andrew Lunn CC: "David S. Miller" CC: Eric Dumazet CC: Jakub Kicinski CC: Paolo Abeni CC: netdev@vger.kernel.org CC: linux-kernel@vger.kernel.org --- drivers/net/tun.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 9a0f6eb32016..d35b6a48d138 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -574,14 +574,18 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb, return ret; } -static inline bool tun_not_capable(struct tun_struct *tun) +static inline bool tun_capable(struct tun_struct *tun) { const struct cred *cred = current_cred(); struct net *net = dev_net(tun->dev); - return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) || - (gid_valid(tun->group) && !in_egroup_p(tun->group))) && - !ns_capable(net->user_ns, CAP_NET_ADMIN); + if (ns_capable(net->user_ns, CAP_NET_ADMIN)) + return 1; + if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner)) + return 1; + if (gid_valid(tun->group) && in_egroup_p(tun->group)) + return 1; + return 0; } static void tun_set_real_num_queues(struct tun_struct *tun) @@ -2778,7 +2782,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) !!(tun->flags & IFF_MULTI_QUEUE)) return -EINVAL; - if (tun_not_capable(tun)) + if (!tun_capable(tun)) return -EPERM; err = security_tun_dev_open(tun->security); if (err < 0)