AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
240cf5d3cb
kernel_optimize_test/net/batman-adv
History
Linus Lüssing ebe9c978d9 batman-adv: allow netlink usage in unprivileged containers 
[ Upstream commit 9057d6c23e7388ee9d037fccc9a7bc8557ce277b ]

Currently, creating a batman-adv interface in an unprivileged LXD
container and attaching secondary interfaces to it with "ip" or "batctl"
works fine. However all batctl debug and configuration commands
fail:

  root@container:~# batctl originators
  Error received: Operation not permitted
  root@container:~# batctl orig_interval
  1000
  root@container:~# batctl orig_interval 2000
  root@container:~# batctl orig_interval
  1000

To fix this change the generic netlink permissions from GENL_ADMIN_PERM
to GENL_UNS_ADMIN_PERM. This way a batman-adv interface is fully
maintainable as root from within a user namespace, from an unprivileged
container.

All except one batman-adv netlink setting are per interface and do not
leak information or change settings from the host system and are
therefore save to retrieve or modify as root from within an unprivileged
container.

"batctl routing_algo" / BATADV_CMD_GET_ROUTING_ALGOS is the only
exception: It provides the batman-adv kernel module wide default routing
algorithm. However it is read-only from netlink and an unprivileged
container is still not allowed to modify
/sys/module/batman_adv/parameters/routing_algo. Instead it is advised to
use the newly introduced "batctl if create routing_algo RA_NAME" /
IFLA_BATADV_ALGO_NAME to set the routing algorithm on interface
creation, which already works fine in an unprivileged container.

Cc: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-01-27 10:54:11 +01:00
..
bat_algo.c
bat_algo.h
bat_iv_ogm.c batman-adv: Avoid WARN_ON timing related checks 2021-06-23 14:42:41 +02:00
bat_iv_ogm.h
bat_v_elp.c
bat_v_elp.h
bat_v_ogm.c
bat_v_ogm.h
bat_v.c
bat_v.h
bitarray.c
bitarray.h
bridge_loop_avoidance.c net: batman-adv: fix error handling 2021-11-02 19:48:22 +01:00
bridge_loop_avoidance.h
debugfs.c
debugfs.h
distributed-arp-table.c
distributed-arp-table.h
fragmentation.c batman-adv: Don't always reallocate the fragmentation skb head 2020-11-27 08:02:55 +01:00
fragmentation.h
gateway_client.c
gateway_client.h
gateway_common.c
gateway_common.h
hard-interface.c batman-adv: Consider fragmentation for needed_headroom 2020-11-27 08:02:55 +01:00
hard-interface.h
hash.c
hash.h
icmp_socket.c
icmp_socket.h
Kconfig
log.c batman-adv: set .owner to THIS_MODULE 2020-11-15 11:43:56 +01:00
log.h
main.c net: batman-adv: fix error handling 2021-11-02 19:48:22 +01:00
main.h
Makefile
multicast.c batman-adv: mcast: don't send link-local multicast to mcast routers 2022-01-11 15:25:00 +01:00
multicast.h batman-adv: mcast: don't send link-local multicast to mcast routers 2022-01-11 15:25:00 +01:00
netlink.c batman-adv: allow netlink usage in unprivileged containers 2022-01-27 10:54:11 +01:00
netlink.h
network-coding.c net: batman-adv: fix error handling 2021-11-02 19:48:22 +01:00
network-coding.h
originator.c
originator.h
routing.c
routing.h
send.c
send.h
soft-interface.c batman-adv: mcast: don't send link-local multicast to mcast routers 2022-01-11 15:25:00 +01:00
soft-interface.h
sysfs.c
sysfs.h
tp_meter.c
tp_meter.h
trace.c
trace.h
translation-table.c net: batman-adv: fix error handling 2021-11-02 19:48:22 +01:00
translation-table.h
tvlv.c
tvlv.h
types.h