net-sysfs: require net admin in the init ns for setting tx_maxrate

BugLink: https://launchpad.net/bugs/1784501
An upcoming change will allow container root to open some /sys/class/net
files for writing. The tx_maxrate attribute can result in changes
to actual hardware devices so err on the side of caution by requiring
CAP_NET_ADMIN in the init namespace in the corresponding attribute store
operation.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 3033fced2f689d4a870b3ba6a8a676db1261d262)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Kleber Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 202d33c4ed0d49355468491083f03f36488a3ab3..adbcd10d7f5f4b2f2667a9701c5096f29087818b 100644 (file)
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1093,6 +1093,9 @@ static ssize_t tx_maxrate_store(struct netdev_queue *queue,
        int err, index = get_netdev_queue_index(queue);
        u32 rate = 0;
 
+       if (!capable(CAP_NET_ADMIN))
+               return -EPERM;
+
        err = kstrtou32(buf, 10, &rate);
        if (err < 0)
                return err;