diff options
| author | Denis V. Lunev <den@openvz.org> | 2007-11-30 08:21:31 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:54:24 -0500 |
| commit | b854272b3c732316676e9128f7b9e6f1e1ff88b0 (patch) | |
| tree | c90c74b9ec068453881f1173da4c57d6bb00a7d9 /net/core | |
| parent | ad5d20a63940fcfb40af76ba06148f36d5d0b433 (diff) | |
[NET]: Modify all rtnetlink methods to only work in the initial namespace (v2)
Before I can enable rtnetlink to work in all network namespaces I need
to be certain that something won't break. So this patch deliberately
disables all of the rtnletlink methods in everything except the
initial network namespace. After the methods have been audited this
extra check can be disabled.
Changes from v1:
- added IPv6 addrlabel protection
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'net/core')
| -rw-r--r-- | net/core/fib_rules.c | 11 | ||||
| -rw-r--r-- | net/core/neighbour.c | 18 | ||||
| -rw-r--r-- | net/core/rtnetlink.c | 19 |
3 files changed, 48 insertions, 0 deletions
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index 848132b6cb73..3b20b6f0982e 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c | |||
| @@ -228,6 +228,9 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | |||
| 228 | struct nlattr *tb[FRA_MAX+1]; | 228 | struct nlattr *tb[FRA_MAX+1]; |
| 229 | int err = -EINVAL, unresolved = 0; | 229 | int err = -EINVAL, unresolved = 0; |
| 230 | 230 | ||
| 231 | if (net != &init_net) | ||
| 232 | return -EINVAL; | ||
| 233 | |||
| 231 | if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) | 234 | if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) |
| 232 | goto errout; | 235 | goto errout; |
| 233 | 236 | ||
| @@ -358,12 +361,16 @@ errout: | |||
| 358 | 361 | ||
| 359 | static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | 362 | static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) |
| 360 | { | 363 | { |
| 364 | struct net *net = skb->sk->sk_net; | ||
| 361 | struct fib_rule_hdr *frh = nlmsg_data(nlh); | 365 | struct fib_rule_hdr *frh = nlmsg_data(nlh); |
| 362 | struct fib_rules_ops *ops = NULL; | 366 | struct fib_rules_ops *ops = NULL; |
| 363 | struct fib_rule *rule, *tmp; | 367 | struct fib_rule *rule, *tmp; |
| 364 | struct nlattr *tb[FRA_MAX+1]; | 368 | struct nlattr *tb[FRA_MAX+1]; |
| 365 | int err = -EINVAL; | 369 | int err = -EINVAL; |
| 366 | 370 | ||
| 371 | if (net != &init_net) | ||
| 372 | return -EINVAL; | ||
| 373 | |||
| 367 | if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) | 374 | if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) |
| 368 | goto errout; | 375 | goto errout; |
| 369 | 376 | ||
| @@ -539,9 +546,13 @@ skip: | |||
| 539 | 546 | ||
| 540 | static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb) | 547 | static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb) |
| 541 | { | 548 | { |
| 549 | struct net *net = skb->sk->sk_net; | ||
| 542 | struct fib_rules_ops *ops; | 550 | struct fib_rules_ops *ops; |
| 543 | int idx = 0, family; | 551 | int idx = 0, family; |
| 544 | 552 | ||
| 553 | if (net != &init_net) | ||
| 554 | return -EINVAL; | ||
| 555 | |||
| 545 | family = rtnl_msg_family(cb->nlh); | 556 | family = rtnl_msg_family(cb->nlh); |
| 546 | if (family != AF_UNSPEC) { | 557 | if (family != AF_UNSPEC) { |
| 547 | /* Protocol specific dump request */ | 558 | /* Protocol specific dump request */ |
diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 175bbc0a974e..29f0a4d2008f 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c | |||
| @@ -1449,6 +1449,9 @@ static int neigh_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | |||
| 1449 | struct net_device *dev = NULL; | 1449 | struct net_device *dev = NULL; |
| 1450 | int err = -EINVAL; | 1450 | int err = -EINVAL; |
| 1451 | 1451 | ||
| 1452 | if (net != &init_net) | ||
| 1453 | return -EINVAL; | ||
| 1454 | |||
| 1452 | if (nlmsg_len(nlh) < sizeof(*ndm)) | 1455 | if (nlmsg_len(nlh) < sizeof(*ndm)) |
| 1453 | goto out; | 1456 | goto out; |
| 1454 | 1457 | ||
| @@ -1515,6 +1518,9 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | |||
| 1515 | struct net_device *dev = NULL; | 1518 | struct net_device *dev = NULL; |
| 1516 | int err; | 1519 | int err; |
| 1517 | 1520 | ||
| 1521 | if (net != &init_net) | ||
| 1522 | return -EINVAL; | ||
| 1523 | |||
| 1518 | err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL); | 1524 | err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL); |
| 1519 | if (err < 0) | 1525 | if (err < 0) |
| 1520 | goto out; | 1526 | goto out; |
| @@ -1789,11 +1795,15 @@ static const struct nla_policy nl_ntbl_parm_policy[NDTPA_MAX+1] = { | |||
| 1789 | 1795 | ||
| 1790 | static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | 1796 | static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) |
| 1791 | { | 1797 | { |
| 1798 | struct net *net = skb->sk->sk_net; | ||
| 1792 | struct neigh_table *tbl; | 1799 | struct neigh_table *tbl; |
| 1793 | struct ndtmsg *ndtmsg; | 1800 | struct ndtmsg *ndtmsg; |
| 1794 | struct nlattr *tb[NDTA_MAX+1]; | 1801 | struct nlattr *tb[NDTA_MAX+1]; |
| 1795 | int err; | 1802 | int err; |
| 1796 | 1803 | ||
| 1804 | if (net != &init_net) | ||
| 1805 | return -EINVAL; | ||
| 1806 | |||
| 1797 | err = nlmsg_parse(nlh, sizeof(*ndtmsg), tb, NDTA_MAX, | 1807 | err = nlmsg_parse(nlh, sizeof(*ndtmsg), tb, NDTA_MAX, |
| 1798 | nl_neightbl_policy); | 1808 | nl_neightbl_policy); |
| 1799 | if (err < 0) | 1809 | if (err < 0) |
| @@ -1913,11 +1923,15 @@ errout: | |||
| 1913 | 1923 | ||
| 1914 | static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb) | 1924 | static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb) |
| 1915 | { | 1925 | { |
| 1926 | struct net *net = skb->sk->sk_net; | ||
| 1916 | int family, tidx, nidx = 0; | 1927 | int family, tidx, nidx = 0; |
| 1917 | int tbl_skip = cb->args[0]; | 1928 | int tbl_skip = cb->args[0]; |
| 1918 | int neigh_skip = cb->args[1]; | 1929 | int neigh_skip = cb->args[1]; |
| 1919 | struct neigh_table *tbl; | 1930 | struct neigh_table *tbl; |
| 1920 | 1931 | ||
| 1932 | if (net != &init_net) | ||
| 1933 | return 0; | ||
| 1934 | |||
| 1921 | family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; | 1935 | family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; |
| 1922 | 1936 | ||
| 1923 | read_lock(&neigh_tbl_lock); | 1937 | read_lock(&neigh_tbl_lock); |
| @@ -2042,9 +2056,13 @@ out: | |||
| 2042 | 2056 | ||
| 2043 | static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb) | 2057 | static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb) |
| 2044 | { | 2058 | { |
| 2059 | struct net *net = skb->sk->sk_net; | ||
| 2045 | struct neigh_table *tbl; | 2060 | struct neigh_table *tbl; |
| 2046 | int t, family, s_t; | 2061 | int t, family, s_t; |
| 2047 | 2062 | ||
| 2063 | if (net != &init_net) | ||
| 2064 | return 0; | ||
| 2065 | |||
| 2048 | read_lock(&neigh_tbl_lock); | 2066 | read_lock(&neigh_tbl_lock); |
| 2049 | family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; | 2067 | family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; |
| 2050 | s_t = cb->args[0]; | 2068 | s_t = cb->args[0]; |
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index fed95a323b28..4edc3dac4ccd 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c | |||
| @@ -703,6 +703,9 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 703 | int s_idx = cb->args[0]; | 703 | int s_idx = cb->args[0]; |
| 704 | struct net_device *dev; | 704 | struct net_device *dev; |
| 705 | 705 | ||
| 706 | if (net != &init_net) | ||
| 707 | return 0; | ||
| 708 | |||
| 706 | idx = 0; | 709 | idx = 0; |
| 707 | for_each_netdev(net, dev) { | 710 | for_each_netdev(net, dev) { |
| 708 | if (idx < s_idx) | 711 | if (idx < s_idx) |
| @@ -905,6 +908,9 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | |||
| 905 | struct nlattr *tb[IFLA_MAX+1]; | 908 | struct nlattr *tb[IFLA_MAX+1]; |
| 906 | char ifname[IFNAMSIZ]; | 909 | char ifname[IFNAMSIZ]; |
| 907 | 910 | ||
| 911 | if (net != &init_net) | ||
| 912 | return -EINVAL; | ||
| 913 | |||
| 908 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); | 914 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); |
| 909 | if (err < 0) | 915 | if (err < 0) |
| 910 | goto errout; | 916 | goto errout; |
| @@ -953,6 +959,9 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | |||
| 953 | struct nlattr *tb[IFLA_MAX+1]; | 959 | struct nlattr *tb[IFLA_MAX+1]; |
| 954 | int err; | 960 | int err; |
| 955 | 961 | ||
| 962 | if (net != &init_net) | ||
| 963 | return -EINVAL; | ||
| 964 | |||
| 956 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); | 965 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); |
| 957 | if (err < 0) | 966 | if (err < 0) |
| 958 | return err; | 967 | return err; |
| @@ -1034,6 +1043,9 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | |||
| 1034 | struct nlattr *linkinfo[IFLA_INFO_MAX+1]; | 1043 | struct nlattr *linkinfo[IFLA_INFO_MAX+1]; |
| 1035 | int err; | 1044 | int err; |
| 1036 | 1045 | ||
| 1046 | if (net != &init_net) | ||
| 1047 | return -EINVAL; | ||
| 1048 | |||
| 1037 | #ifdef CONFIG_KMOD | 1049 | #ifdef CONFIG_KMOD |
| 1038 | replay: | 1050 | replay: |
| 1039 | #endif | 1051 | #endif |
| @@ -1160,6 +1172,9 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | |||
| 1160 | struct sk_buff *nskb; | 1172 | struct sk_buff *nskb; |
| 1161 | int err; | 1173 | int err; |
| 1162 | 1174 | ||
| 1175 | if (net != &init_net) | ||
| 1176 | return -EINVAL; | ||
| 1177 | |||
| 1163 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); | 1178 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy); |
| 1164 | if (err < 0) | 1179 | if (err < 0) |
| 1165 | return err; | 1180 | return err; |
| @@ -1195,9 +1210,13 @@ errout: | |||
| 1195 | 1210 | ||
| 1196 | static int rtnl_dump_all(struct sk_buff *skb, struct netlink_callback *cb) | 1211 | static int rtnl_dump_all(struct sk_buff *skb, struct netlink_callback *cb) |
| 1197 | { | 1212 | { |
| 1213 | struct net *net = skb->sk->sk_net; | ||
| 1198 | int idx; | 1214 | int idx; |
| 1199 | int s_idx = cb->family; | 1215 | int s_idx = cb->family; |
| 1200 | 1216 | ||
| 1217 | if (net != &init_net) | ||
| 1218 | return 0; | ||
| 1219 | |||
| 1201 | if (s_idx == 0) | 1220 | if (s_idx == 0) |
| 1202 | s_idx = 1; | 1221 | s_idx = 1; |
| 1203 | for (idx=1; idx<NPROTO; idx++) { | 1222 | for (idx=1; idx<NPROTO; idx++) { |