Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:43 +0200
committerJiri Slaby <jslaby@suse.cz>2019-05-17 06:38:50 +0200
commit863f23604920411f2053dafc5737fafcab7bb980 (patch)
tree995bcd9a6811ad7b5efb1763eab2d784b237e2d8
parentb62b00bfefc72308deda1a1dc3faf6155b511a87 (diff)
vlan: disable SIOCSHWTSTAMP in container (bnc#1012628).
-rw-r--r--patches.kernel.org/5.1.3-027-vlan-disable-SIOCSHWTSTAMP-in-container.patch45
-rw-r--r--series.conf1
2 files changed, 46 insertions, 0 deletions
diff --git a/patches.kernel.org/5.1.3-027-vlan-disable-SIOCSHWTSTAMP-in-container.patch b/patches.kernel.org/5.1.3-027-vlan-disable-SIOCSHWTSTAMP-in-container.patch
new file mode 100644
index 0000000000..b2dc190f7f
--- /dev/null
+++ b/patches.kernel.org/5.1.3-027-vlan-disable-SIOCSHWTSTAMP-in-container.patch
@@ -0,0 +1,45 @@
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 9 May 2019 14:55:07 +0800
+Subject: [PATCH] vlan: disable SIOCSHWTSTAMP in container
+References: bnc#1012628
+Patch-mainline: 5.1.3
+Git-commit: 873017af778439f2f8e3d87f28ddb1fcaf244a76
+
+[ Upstream commit 873017af778439f2f8e3d87f28ddb1fcaf244a76 ]
+
+With NET_ADMIN enabled in container, a normal user could be mapped to
+root and is able to change the real device's rx filter via ioctl on
+vlan, which would affect the other ptp process on host. Fix it by
+disabling SIOCSHWTSTAMP in container.
+
+Fixes: a6111d3c93d0 ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/8021q/vlan_dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index 8d77b6ee4477..eb98be23423e 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -367,10 +367,12 @@ static int vlan_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ ifrr.ifr_ifru = ifr->ifr_ifru;
+
+ switch (cmd) {
++ case SIOCSHWTSTAMP:
++ if (!net_eq(dev_net(dev), &init_net))
++ break;
+ case SIOCGMIIPHY:
+ case SIOCGMIIREG:
+ case SIOCSMIIREG:
+- case SIOCSHWTSTAMP:
+ case SIOCGHWTSTAMP:
+ if (netif_device_present(real_dev) && ops->ndo_do_ioctl)
+ err = ops->ndo_do_ioctl(real_dev, &ifrr, cmd);
+--
+2.21.0
+
diff --git a/series.conf b/series.conf
index 9a0fb79648..b4d11daafc 100644
--- a/series.conf
+++ b/series.conf
@@ -112,6 +112,7 @@
patches.kernel.org/5.1.3-024-packet-Fix-error-path-in-packet_init.patch
patches.kernel.org/5.1.3-025-selinux-do-not-report-error-on-connect-AF_UNSPE.patch
patches.kernel.org/5.1.3-026-tipc-fix-hanging-clients-using-poll-with-EPOLLO.patch
+ patches.kernel.org/5.1.3-027-vlan-disable-SIOCSHWTSTAMP-in-container.patch
########################################################
# Build fixes that apply to the vanilla kernel too.