From: Daniel Borkmann <dan...@iogearbox.net> Date: Wed, 20 Feb 2019 00:15:30 +0100
> When running Docker with userns isolation e.g. --userns-remap="default" > and spawning up some containers with CAP_NET_ADMIN under this realm, I > noticed that link changes on ipvlan slave device inside that container > can affect all devices from this ipvlan group which are in other net > namespaces where the container should have no permission to make changes > to, such as the init netns, for example. > > This effectively allows to undo ipvlan private mode and switch globally to > bridge mode where slaves can communicate directly without going through > hostns, or it allows to switch between global operation mode (l2/l3/l3s) > for everyone bound to the given ipvlan master device. libnetwork plugin > here is creating an ipvlan master and ipvlan slave in hostns and a slave > each that is moved into the container's netns upon creation event. ... > One way to mitigate it is to check CAP_NET_ADMIN permissions of > the ipvlan master device's ns, and only then allow to change > mode or flags for all devices bound to it. Above two cases are > then disallowed after the patch. > > Signed-off-by: Daniel Borkmann <dan...@iogearbox.net> Applied and queued up for -stable. Thanks.