Blame - external/routing/batman-adv/patches/0007-batman-adv-allow-netlink-usage-in-unprivileged-conta.patch - T108

blob: 83ebf5e48aaacb16d16808d9abafff00a000d205 [file] [log] [blame]

b.liu	e958203	2025-04-17 19:18:16 +0800	[diff] [blame^]	1	From: Linus Lüssing <linus.luessing@c0d3.blue>
				2	Date: Mon, 1 Nov 2021 21:46:17 +0100
				3	Subject: batman-adv: allow netlink usage in unprivileged containers
				4
				5	Currently, creating a batman-adv interface in an unprivileged LXD
				6	container and attaching secondary interfaces to it with "ip" or "batctl"
				7	works fine. However all batctl debug and configuration commands
				8	fail:
				9
				10	root@container:~# batctl originators
				11	Error received: Operation not permitted
				12	root@container:~# batctl orig_interval
				13	1000
				14	root@container:~# batctl orig_interval 2000
				15	root@container:~# batctl orig_interval
				16	1000
				17
				18	To fix this change the generic netlink permissions from GENL_ADMIN_PERM
				19	to GENL_UNS_ADMIN_PERM. This way a batman-adv interface is fully
				20	maintainable as root from within a user namespace, from an unprivileged
				21	container.
				22
				23	All except one batman-adv netlink setting are per interface and do not
				24	leak information or change settings from the host system and are
				25	therefore save to retrieve or modify as root from within an unprivileged
				26	container.
				27
				28	"batctl routing_algo" / BATADV_CMD_GET_ROUTING_ALGOS is the only
				29	exception: It provides the batman-adv kernel module wide default routing
				30	algorithm. However it is read-only from netlink and an unprivileged
				31	container is still not allowed to modify
				32	/sys/module/batman_adv/parameters/routing_algo. Instead it is advised to
				33	use the newly introduced "batctl if create routing_algo RA_NAME" /
				34	IFLA_BATADV_ALGO_NAME to set the routing algorithm on interface
				35	creation, which already works fine in an unprivileged container.
				36
				37	Cc: Tycho Andersen <tycho@tycho.pizza>
				38	Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
				39	Signed-off-by: Sven Eckelmann <sven@narfation.org>
				40	Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/055fa41b73ca8dae1c1ed41777e32a8f02e80c82
				41
				42	--- /dev/null
				43	+++ b/compat-include/uapi/linux/genetlink.h
				44	@@ -0,0 +1,22 @@
				45	+/* SPDX-License-Identifier: GPL-2.0 */
				46	+/* Copyright (C) B.A.T.M.A.N. contributors:
				47	+ *
				48	+ * Marek Lindner, Simon Wunderlich
				49	+ *
				50	+ * This file contains macros for maintaining compatibility with older versions
				51	+ * of the Linux kernel.
				52	+ */
				53	+
				54	+#ifndef _NET_BATMAN_ADV_COMPAT_UAPI_LINUX_GENETLINK_H_
				55	+#define _NET_BATMAN_ADV_COMPAT_UAPI_LINUX_GENETLINK_H_
				56	+
				57	+#include <linux/version.h>
				58	+#include_next <uapi/linux/genetlink.h>
				59	+
				60	+#if LINUX_VERSION_IS_LESS(4, 6, 0)
				61	+
				62	+#define GENL_UNS_ADMIN_PERM GENL_ADMIN_PERM
				63	+
				64	+#endif /* LINUX_VERSION_IS_LESS(4, 6, 0) */
				65	+
				66	+#endif /* _NET_BATMAN_ADV_COMPAT_UAPI_LINUX_GENETLINK_H_ */
				67	--- a/net/batman-adv/netlink.c
				68	+++ b/net/batman-adv/netlink.c
				69	@@ -1369,21 +1369,21 @@ static const struct genl_ops batadv_netl
				70	{
				71	.cmd = BATADV_CMD_TP_METER,
				72	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				73	- .flags = GENL_ADMIN_PERM,
				74	+ .flags = GENL_UNS_ADMIN_PERM,
				75	.doit = batadv_netlink_tp_meter_start,
				76	.internal_flags = BATADV_FLAG_NEED_MESH,
				77	},
				78	{
				79	.cmd = BATADV_CMD_TP_METER_CANCEL,
				80	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				81	- .flags = GENL_ADMIN_PERM,
				82	+ .flags = GENL_UNS_ADMIN_PERM,
				83	.doit = batadv_netlink_tp_meter_cancel,
				84	.internal_flags = BATADV_FLAG_NEED_MESH,
				85	},
				86	{
				87	.cmd = BATADV_CMD_GET_ROUTING_ALGOS,
				88	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				89	- .flags = GENL_ADMIN_PERM,
				90	+ .flags = GENL_UNS_ADMIN_PERM,
				91	.dumpit = batadv_algo_dump,
				92	},
				93	{
				94	@@ -1398,68 +1398,68 @@ static const struct genl_ops batadv_netl
				95	{
				96	.cmd = BATADV_CMD_GET_TRANSTABLE_LOCAL,
				97	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				98	- .flags = GENL_ADMIN_PERM,
				99	+ .flags = GENL_UNS_ADMIN_PERM,
				100	.dumpit = batadv_tt_local_dump,
				101	},
				102	{
				103	.cmd = BATADV_CMD_GET_TRANSTABLE_GLOBAL,
				104	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				105	- .flags = GENL_ADMIN_PERM,
				106	+ .flags = GENL_UNS_ADMIN_PERM,
				107	.dumpit = batadv_tt_global_dump,
				108	},
				109	{
				110	.cmd = BATADV_CMD_GET_ORIGINATORS,
				111	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				112	- .flags = GENL_ADMIN_PERM,
				113	+ .flags = GENL_UNS_ADMIN_PERM,
				114	.dumpit = batadv_orig_dump,
				115	},
				116	{
				117	.cmd = BATADV_CMD_GET_NEIGHBORS,
				118	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				119	- .flags = GENL_ADMIN_PERM,
				120	+ .flags = GENL_UNS_ADMIN_PERM,
				121	.dumpit = batadv_hardif_neigh_dump,
				122	},
				123	{
				124	.cmd = BATADV_CMD_GET_GATEWAYS,
				125	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				126	- .flags = GENL_ADMIN_PERM,
				127	+ .flags = GENL_UNS_ADMIN_PERM,
				128	.dumpit = batadv_gw_dump,
				129	},
				130	{
				131	.cmd = BATADV_CMD_GET_BLA_CLAIM,
				132	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				133	- .flags = GENL_ADMIN_PERM,
				134	+ .flags = GENL_UNS_ADMIN_PERM,
				135	.dumpit = batadv_bla_claim_dump,
				136	},
				137	{
				138	.cmd = BATADV_CMD_GET_BLA_BACKBONE,
				139	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				140	- .flags = GENL_ADMIN_PERM,
				141	+ .flags = GENL_UNS_ADMIN_PERM,
				142	.dumpit = batadv_bla_backbone_dump,
				143	},
				144	{
				145	.cmd = BATADV_CMD_GET_DAT_CACHE,
				146	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				147	- .flags = GENL_ADMIN_PERM,
				148	+ .flags = GENL_UNS_ADMIN_PERM,
				149	.dumpit = batadv_dat_cache_dump,
				150	},
				151	{
				152	.cmd = BATADV_CMD_GET_MCAST_FLAGS,
				153	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				154	- .flags = GENL_ADMIN_PERM,
				155	+ .flags = GENL_UNS_ADMIN_PERM,
				156	.dumpit = batadv_mcast_flags_dump,
				157	},
				158	{
				159	.cmd = BATADV_CMD_SET_MESH,
				160	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				161	- .flags = GENL_ADMIN_PERM,
				162	+ .flags = GENL_UNS_ADMIN_PERM,
				163	.doit = batadv_netlink_set_mesh,
				164	.internal_flags = BATADV_FLAG_NEED_MESH,
				165	},
				166	{
				167	.cmd = BATADV_CMD_SET_HARDIF,
				168	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				169	- .flags = GENL_ADMIN_PERM,
				170	+ .flags = GENL_UNS_ADMIN_PERM,
				171	.doit = batadv_netlink_set_hardif,
				172	.internal_flags = BATADV_FLAG_NEED_MESH \|
				173	BATADV_FLAG_NEED_HARDIF,
				174	@@ -1475,7 +1475,7 @@ static const struct genl_ops batadv_netl
				175	{
				176	.cmd = BATADV_CMD_SET_VLAN,
				177	.validate = GENL_DONT_VALIDATE_STRICT \| GENL_DONT_VALIDATE_DUMP,
				178	- .flags = GENL_ADMIN_PERM,
				179	+ .flags = GENL_UNS_ADMIN_PERM,
				180	.doit = batadv_netlink_set_vlan,
				181	.internal_flags = BATADV_FLAG_NEED_MESH \|
				182	BATADV_FLAG_NEED_VLAN,