tun: fix group permission check (3ca459ea) · Commits · linux-arm / linux-sh · GitLab

Commit 3ca459ea authored Dec 05, 2024 by Stas Sergeev Committed by Jakub Kicinski Dec 07, 2024

tun: fix group permission check



Currently tun checks the group permission even if the user have matched.
Besides going against the usual permission semantic, this has a
very interesting implication: if the tun group is not among the
supplementary groups of the tun user, then effectively no one can
access the tun device. CAP_SYS_ADMIN still can, but its the same as
not setting the tun ownership.

This patch relaxes the group checking so that either the user match
or the group match is enough. This avoids the situation when no one
can access the device even though the ownership is properly set.

Also I simplified the logic by removing the redundant inversions:
tun_not_capable() --> !tun_capable()

Signed-off-by: Stas Sergeev <stsp2@yandex.ru>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://patch.msgid.link/20241205073614.294773-1-stsp2@yandex.ru


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 81d89e6e

Hide whitespace changes

Inline Side-by-side

Sudeep Holla @sudeep-holla
mentioned in commit a70c7b3c
· Feb 10, 2025

mentioned in commit a70c7b3c

mentioned in commit a70c7b3cbc0688016810bb2e0b9b8a0d6a530045

Toggle commit list

Please register or to comment