RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using Podman, it fails to modify
the QP.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 0cadb4db79e1 ("RDMA/uverbs: Restrict usage of privileged QKEYs")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Link: https://patch.msgid.link/099eb263622ccdd27014db7e02fec824a3307829.1750963874.git.leon@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>

authored by

Parav Pandit and committed by

Leon Romanovsky 9 months ago 28ea058a bd82467f

+3 -2

2 changed files

expand all

drivers

infiniband

core

nldev.c

uverbs_cmd.c

+1 -1

drivers/infiniband/core/nldev.c

··· 255 255 256 256 bool rdma_nl_get_privileged_qkey(void) 257 257 { 258 - return privileged_qkey || capable(CAP_NET_RAW); 258 + return privileged_qkey; 259 259 } 260 260 EXPORT_SYMBOL(rdma_nl_get_privileged_qkey); 261 261

+2 -1

drivers/infiniband/core/uverbs_cmd.c

··· 1877 1877 attr->path_mig_state = cmd->base.path_mig_state; 1878 1878 if (cmd->base.attr_mask & IB_QP_QKEY) { 1879 1879 if (cmd->base.qkey & IB_QP_SET_QKEY && 1880 - !rdma_nl_get_privileged_qkey()) { 1880 + !(rdma_nl_get_privileged_qkey() || 1881 + rdma_uattrs_has_raw_cap(attrs))) { 1881 1882 ret = -EPERM; 1882 1883 goto release_qp; 1883 1884 }