Q: investigate the use of ns_capable_noaudit() in the network bonding driver

Question

Q: investigate the use of ns_capable_noaudit() in the network bonding driver

pcmoore opened this issue 8 years ago · 1 comments

The bonding driver has a number of CAP_NET_ADMIN checks which may not need to be audited, see the capable(CAP_NET_ADMIN) calls in the following commit:

commit 4cd6b4754492c08f00e6237fd7e5c8b443370d15
Author: Mahesh Bandewar <maheshb@google.com>
Date:   Thu Jun 18 11:30:54 2015 -0700

bonding: Display LACP info only to CAP_NET_ADMIN capable user

Actor and Partner details can be accessed via proc-fs, sys-fs
entries or netlink interface. These interfaces are world readable
at this moment. The earlier patch-series made the LACP communication
secure to avoid nuisance attack from within the same L2 domain but
it did not prevent "someone unprivileged" looking at that information
on host and perform the same act.

This patch essentially avoids spitting those entries if the user
in question does not have enough privileges.

Signed-off-by: Mahesh Bandewar <maheshb@google.com>
Signed-off-by: Andy Gospodarek <gospo@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Answer 1 · 2017-04-12T21:14:15.000Z

We could consider replacing these capable(...) calls with calls to ns_capable_noaudit(...).