diff mbox series

net: allow CAP_NET_RAW to setsockopt SO_PRIORITY

Message ID 20211123203702.193221-1-zenczykowski@gmail.com (mailing list archive)
State Accepted
Commit a1b519b745489a54189e05ee934ada1b6bc595a3
Delegated to: Netdev Maintainers
Headers show
Series net: allow CAP_NET_RAW to setsockopt SO_PRIORITY | expand

Checks

Context Check Description
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 6 this patch: 6
netdev/cc_maintainers fail 3 maintainers not CCed: edumazet@google.com kuba@kernel.org davem@davemloft.net
netdev/build_clang success Errors and warnings before: 22 this patch: 22
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 10 this patch: 10
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Maciej Żenczykowski Nov. 23, 2021, 8:37 p.m. UTC 
From: Maciej Żenczykowski <maze@google.com>

CAP_NET_ADMIN is and should continue to be about configuring the
system as a whole, not about configuring per-socket or per-packet
parameters.
Sending and receiving raw packets is what CAP_NET_RAW is all about.

It can already send packets with any VLAN tag, and any IPv4 TOS
mark, and any IPv6 TCLASS mark, simply by virtue of building
such a raw packet.  Not to mention using any protocol and source/
/destination ip address/port tuple.

These are the fields that networking gear uses to prioritize packets.

Hence, a CAP_NET_RAW process is already capable of affecting traffic
prioritization after it hits the wire.  This change makes it capable
of affecting traffic prioritization even in the host at the nic and
before that in the queueing disciplines (provided skb->priority is
actually being used for prioritization, and not the TOS/TCLASS field)

Hence it makes sense to allow a CAP_NET_RAW process to set the
priority of sockets and thus packets it sends.

Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 net/core/sock.c | 1 +
 1 file changed, 1 insertion(+)

Comments

patchwork-bot+netdevbpf@kernel.org Nov. 25, 2021, 3:10 a.m. UTC | #1 
Hello:

This patch was applied to netdev/net-next.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 23 Nov 2021 12:37:02 -0800 you wrote:
> From: Maciej Żenczykowski <maze@google.com>
> 
> CAP_NET_ADMIN is and should continue to be about configuring the
> system as a whole, not about configuring per-socket or per-packet
> parameters.
> Sending and receiving raw packets is what CAP_NET_RAW is all about.
> 
> [...]

Here is the summary with links:
  - net: allow CAP_NET_RAW to setsockopt SO_PRIORITY
    https://git.kernel.org/netdev/net-next/c/a1b519b74548

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/core/sock.c b/net/core/sock.c
index 31a2b79c9b38..1e49a127adef 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1135,6 +1135,7 @@  int sock_setsockopt(struct socket *sock, int level, int optname,
 
 	case SO_PRIORITY:
 		if ((val >= 0 && val <= 6) ||
+		    ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) ||
 		    ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
 			sk->sk_priority = val;
 		else