RDMA/nldev: Check CAP_NET_RAW in user namespace for QP modify

Currently, the capability check is done in the default
init_user_ns user namespace. When a process runs in a
non default user namespace, such check fails. Due to this
when a process is running using Podman, it fails to modify
the QP.

Since the RDMA device is a resource within a network namespace,
use the network namespace associated with the RDMA device to
determine its owning user namespace.

Fixes: 0cadb4db79e1 ("RDMA/uverbs: Restrict usage of privileged QKEYs")
Signed-off-by: Parav Pandit <parav@nvidia.com>
Link: https://patch.msgid.link/099eb263622ccdd27014db7e02fec824a3307829.1750963874.git.leon@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>

diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
index e9b7a64192913a4ce37899a7a4f1bb343ac46a09..2220a2dfab240eaef2eb64d8e45cb221dfa25614 100644 (file)
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -255,7 +255,7 @@ EXPORT_SYMBOL(rdma_nl_put_driver_u64_hex);
 
 bool rdma_nl_get_privileged_qkey(void)
 {
-       return privileged_qkey || capable(CAP_NET_RAW);
+       return privileged_qkey;
 }
 EXPORT_SYMBOL(rdma_nl_get_privileged_qkey);
 

diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 6ab3eb49449a5b2443766990fc0e2b153f45ed76..88aa8d4599df2ef11fb39533e52466c21c9c3e07 100644 (file)
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1877,7 +1877,8 @@ static int modify_qp(struct uverbs_attr_bundle *attrs,
                attr->path_mig_state = cmd->base.path_mig_state;
        if (cmd->base.attr_mask & IB_QP_QKEY) {
                if (cmd->base.qkey & IB_QP_SET_QKEY &&
-                   !rdma_nl_get_privileged_qkey()) {
+                   !(rdma_nl_get_privileged_qkey() ||
+                     rdma_uattrs_has_raw_cap(attrs))) {
                        ret = -EPERM;
                        goto release_qp;
                }