Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-06-19 15:21:18 +0200
committerTakashi Iwai <tiwai@suse.de>2019-06-19 15:21:18 +0200
commit6ec05b16a56165ba4ed7af05205997bf17e56210 (patch)
treec8ada08c0360dcc301a2a4daa7a11f23f6cd9ea2
parentf04fcd0bdf31acd6f562d741796cda1bd6f3cc57 (diff)
vlan: disable SIOCSHWTSTAMP in container (bsc#1051510).
-rw-r--r--patches.fixes/vlan-disable-SIOCSHWTSTAMP-in-container.patch44
-rw-r--r--series.conf1
2 files changed, 45 insertions, 0 deletions
diff --git a/patches.fixes/vlan-disable-SIOCSHWTSTAMP-in-container.patch b/patches.fixes/vlan-disable-SIOCSHWTSTAMP-in-container.patch
new file mode 100644
index 0000000000..5436a3754d
--- /dev/null
+++ b/patches.fixes/vlan-disable-SIOCSHWTSTAMP-in-container.patch
@@ -0,0 +1,44 @@
+From 873017af778439f2f8e3d87f28ddb1fcaf244a76 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 9 May 2019 14:55:07 +0800
+Subject: [PATCH] vlan: disable SIOCSHWTSTAMP in container
+Git-commit: 873017af778439f2f8e3d87f28ddb1fcaf244a76
+Patch-mainline: v5.2-rc1
+References: bsc#1051510
+
+With NET_ADMIN enabled in container, a normal user could be mapped to
+root and is able to change the real device's rx filter via ioctl on
+vlan, which would affect the other ptp process on host. Fix it by
+disabling SIOCSHWTSTAMP in container.
+
+Fixes: a6111d3c93d0 ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ net/8021q/vlan_dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index f044ae56a313..2a9a60733594 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -370,10 +370,12 @@ static int vlan_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ ifrr.ifr_ifru = ifr->ifr_ifru;
+
+ switch (cmd) {
++ case SIOCSHWTSTAMP:
++ if (!net_eq(dev_net(dev), &init_net))
++ break;
+ case SIOCGMIIPHY:
+ case SIOCGMIIREG:
+ case SIOCSMIIREG:
+- case SIOCSHWTSTAMP:
+ case SIOCGHWTSTAMP:
+ if (netif_device_present(real_dev) && ops->ndo_do_ioctl)
+ err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd);
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 2ed92a9b76..076dbf31bf 100644
--- a/series.conf
+++ b/series.conf
@@ -22379,6 +22379,7 @@
patches.drivers/clk-rockchip-fix-wrong-clock-definitions-for-rk3328.patch
patches.drivers/clk-rockchip-Fix-video-codec-clocks-on-rk3288.patch
patches.suse/tipc-fix-hanging-clients-using-poll-with-EPOLLOUT-fl.patch
+ patches.fixes/vlan-disable-SIOCSHWTSTAMP-in-container.patch
patches.arch/powerpc-numa-improve-control-of-topology-updates.patch
patches.arch/powerpc-numa-document-topology_updates_enabled-disab.patch
patches.arch/powerpc-powernv-idle-Restore-IAMR-after-idle.patch