| Message ID | 20230309031953.2350213-5-anjali.k.kulkarni@oracle.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | Process connector bug fixes & enhancements | expand |
| Context | Check | Description |
|---|---|---|
| netdev/series_format | success | Posting correctly formatted |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/fixes_present | success | Fixes tag not required for -next series |
| netdev/header_inline | success | No static functions without inline keyword in header files |
| netdev/build_32bit | success | Errors and warnings before: 20 this patch: 20 |
| netdev/cc_maintainers | success | CCed 5 of 5 maintainers |
| netdev/build_clang | success | Errors and warnings before: 18 this patch: 18 |
| netdev/verify_signedoff | success | Signed-off-by tag matches author and committer |
| netdev/deprecated_api | success | None detected |
| netdev/check_selftest | success | No net selftest shell script |
| netdev/verify_fixes | success | No Fixes tag |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 20 this patch: 20 |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 26 lines checked |
| netdev/kdoc | success | Errors and warnings before: 3 this patch: 3 |
| netdev/source_inline | success | Was 0 now: 0 |
On Wed, Mar 08, 2023 at 07:19:52PM -0800, Anjali Kulkarni wrote: > The patch allows non-root users to receive cn proc connector > notifications, as anyone can normally get process start/exit status from > /proc. The reason for not allowing non-root users to receive multicast > messages is long gone, as described in this thread: > https://linux-kernel.vger.kernel.narkive.com/CpJFcnra/multicast-netlink-for-non-root-process Sorry that thread is kinda convoluted. Could you please provide a summary in the commit message and explain why this isn't an issue anymore?
diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c index ef3820b43b5c..03ba70f07113 100644 --- a/drivers/connector/cn_proc.c +++ b/drivers/connector/cn_proc.c @@ -376,12 +376,6 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, !task_is_in_init_pid_ns(current)) return; - /* Can only change if privileged. */ - if (!__netlink_ns_capable(nsp, &init_user_ns, CAP_NET_ADMIN)) { - err = EPERM; - goto out; - } - if (msg->len == sizeof(mc_op)) mc_op = *((enum proc_cn_mcast_op *)msg->data); else @@ -414,7 +408,6 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, break; } -out: cn_proc_ack(err, msg->seq, msg->ack); } diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c index 1b7851b1aa0f..136a9f38a063 100644 --- a/drivers/connector/connector.c +++ b/drivers/connector/connector.c @@ -251,6 +251,7 @@ static int cn_init(void) { struct cn_dev *dev = &cdev; struct netlink_kernel_cfg cfg = { + .flags = NL_CFG_F_NONROOT_RECV, .groups = CN_NETLINK_USERS + 0xf, .input = cn_rx_skb, };
The patch allows non-root users to receive cn proc connector notifications, as anyone can normally get process start/exit status from /proc. The reason for not allowing non-root users to receive multicast messages is long gone, as described in this thread: https://linux-kernel.vger.kernel.narkive.com/CpJFcnra/multicast-netlink-for-non-root-process Also, many other netlink protocols allow non-root users to receive multicast messages, and there is no reason to discriminate against CONNECTOR. Reason we need this change is we need to run our DB application as a non-root user. Signed-off-by: Anjali Kulkarni <anjali.k.kulkarni@oracle.com> --- drivers/connector/cn_proc.c | 7 ------- drivers/connector/connector.c | 1 + 2 files changed, 1 insertion(+), 7 deletions(-)