diff options
| author | Denis V. Lunev <den@openvz.org> | 2007-11-30 08:21:31 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:54:24 -0500 |
| commit | b854272b3c732316676e9128f7b9e6f1e1ff88b0 (patch) | |
| tree | c90c74b9ec068453881f1173da4c57d6bb00a7d9 /net/decnet | |
| parent | ad5d20a63940fcfb40af76ba06148f36d5d0b433 (diff) | |
[NET]: Modify all rtnetlink methods to only work in the initial namespace (v2)
Before I can enable rtnetlink to work in all network namespaces I need
to be certain that something won't break. So this patch deliberately
disables all of the rtnletlink methods in everything except the
initial network namespace. After the methods have been audited this
extra check can be disabled.
Changes from v1:
- added IPv6 addrlabel protection
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'net/decnet')
| -rw-r--r-- | net/decnet/dn_dev.c | 14 | ||||
| -rw-r--r-- | net/decnet/dn_fib.c | 8 | ||||
| -rw-r--r-- | net/decnet/dn_route.c | 8 | ||||
| -rw-r--r-- | net/decnet/dn_table.c | 4 |
4 files changed, 33 insertions, 1 deletions
diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c index 3bc82dc83b38..94256845a057 100644 --- a/net/decnet/dn_dev.c +++ b/net/decnet/dn_dev.c | |||
| @@ -647,11 +647,15 @@ static const struct nla_policy dn_ifa_policy[IFA_MAX+1] = { | |||
| 647 | 647 | ||
| 648 | static int dn_nl_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | 648 | static int dn_nl_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) |
| 649 | { | 649 | { |
| 650 | struct net *net = skb->sk->sk_net; | ||
| 650 | struct nlattr *tb[IFA_MAX+1]; | 651 | struct nlattr *tb[IFA_MAX+1]; |
| 651 | struct dn_dev *dn_db; | 652 | struct dn_dev *dn_db; |
| 652 | struct ifaddrmsg *ifm; | 653 | struct ifaddrmsg *ifm; |
| 653 | struct dn_ifaddr *ifa, **ifap; | 654 | struct dn_ifaddr *ifa, **ifap; |
| 654 | int err; | 655 | int err = -EINVAL; |
| 656 | |||
| 657 | if (net != &init_net) | ||
| 658 | goto errout; | ||
| 655 | 659 | ||
| 656 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy); | 660 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy); |
| 657 | if (err < 0) | 661 | if (err < 0) |
| @@ -681,6 +685,7 @@ errout: | |||
| 681 | 685 | ||
| 682 | static int dn_nl_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | 686 | static int dn_nl_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) |
| 683 | { | 687 | { |
| 688 | struct net *net = skb->sk->sk_net; | ||
| 684 | struct nlattr *tb[IFA_MAX+1]; | 689 | struct nlattr *tb[IFA_MAX+1]; |
| 685 | struct net_device *dev; | 690 | struct net_device *dev; |
| 686 | struct dn_dev *dn_db; | 691 | struct dn_dev *dn_db; |
| @@ -688,6 +693,9 @@ static int dn_nl_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | |||
| 688 | struct dn_ifaddr *ifa; | 693 | struct dn_ifaddr *ifa; |
| 689 | int err; | 694 | int err; |
| 690 | 695 | ||
| 696 | if (net != &init_net) | ||
| 697 | return -EINVAL; | ||
| 698 | |||
| 691 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy); | 699 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, dn_ifa_policy); |
| 692 | if (err < 0) | 700 | if (err < 0) |
| 693 | return err; | 701 | return err; |
| @@ -793,11 +801,15 @@ errout: | |||
| 793 | 801 | ||
| 794 | static int dn_nl_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) | 802 | static int dn_nl_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) |
| 795 | { | 803 | { |
| 804 | struct net *net = skb->sk->sk_net; | ||
| 796 | int idx, dn_idx = 0, skip_ndevs, skip_naddr; | 805 | int idx, dn_idx = 0, skip_ndevs, skip_naddr; |
| 797 | struct net_device *dev; | 806 | struct net_device *dev; |
| 798 | struct dn_dev *dn_db; | 807 | struct dn_dev *dn_db; |
| 799 | struct dn_ifaddr *ifa; | 808 | struct dn_ifaddr *ifa; |
| 800 | 809 | ||
| 810 | if (net != &init_net) | ||
| 811 | return 0; | ||
| 812 | |||
| 801 | skip_ndevs = cb->args[0]; | 813 | skip_ndevs = cb->args[0]; |
| 802 | skip_naddr = cb->args[1]; | 814 | skip_naddr = cb->args[1]; |
| 803 | 815 | ||
diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c index 3760a20d10d0..5413e1b75b5d 100644 --- a/net/decnet/dn_fib.c +++ b/net/decnet/dn_fib.c | |||
| @@ -506,10 +506,14 @@ static int dn_fib_check_attr(struct rtmsg *r, struct rtattr **rta) | |||
| 506 | 506 | ||
| 507 | static int dn_fib_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | 507 | static int dn_fib_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) |
| 508 | { | 508 | { |
| 509 | struct net *net = skb->sk->sk_net; | ||
| 509 | struct dn_fib_table *tb; | 510 | struct dn_fib_table *tb; |
| 510 | struct rtattr **rta = arg; | 511 | struct rtattr **rta = arg; |
| 511 | struct rtmsg *r = NLMSG_DATA(nlh); | 512 | struct rtmsg *r = NLMSG_DATA(nlh); |
| 512 | 513 | ||
| 514 | if (net != &init_net) | ||
| 515 | return -EINVAL; | ||
| 516 | |||
| 513 | if (dn_fib_check_attr(r, rta)) | 517 | if (dn_fib_check_attr(r, rta)) |
| 514 | return -EINVAL; | 518 | return -EINVAL; |
| 515 | 519 | ||
| @@ -522,10 +526,14 @@ static int dn_fib_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void * | |||
| 522 | 526 | ||
| 523 | static int dn_fib_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | 527 | static int dn_fib_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) |
| 524 | { | 528 | { |
| 529 | struct net *net = skb->sk->sk_net; | ||
| 525 | struct dn_fib_table *tb; | 530 | struct dn_fib_table *tb; |
| 526 | struct rtattr **rta = arg; | 531 | struct rtattr **rta = arg; |
| 527 | struct rtmsg *r = NLMSG_DATA(nlh); | 532 | struct rtmsg *r = NLMSG_DATA(nlh); |
| 528 | 533 | ||
| 534 | if (net != &init_net) | ||
| 535 | return -EINVAL; | ||
| 536 | |||
| 529 | if (dn_fib_check_attr(r, rta)) | 537 | if (dn_fib_check_attr(r, rta)) |
| 530 | return -EINVAL; | 538 | return -EINVAL; |
| 531 | 539 | ||
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c index 2a5bb0714c7e..28aeba15cf12 100644 --- a/net/decnet/dn_route.c +++ b/net/decnet/dn_route.c | |||
| @@ -1511,6 +1511,7 @@ rtattr_failure: | |||
| 1511 | */ | 1511 | */ |
| 1512 | static int dn_cache_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, void *arg) | 1512 | static int dn_cache_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, void *arg) |
| 1513 | { | 1513 | { |
| 1514 | struct net *net = in_skb->sk->sk_net; | ||
| 1514 | struct rtattr **rta = arg; | 1515 | struct rtattr **rta = arg; |
| 1515 | struct rtmsg *rtm = NLMSG_DATA(nlh); | 1516 | struct rtmsg *rtm = NLMSG_DATA(nlh); |
| 1516 | struct dn_route *rt = NULL; | 1517 | struct dn_route *rt = NULL; |
| @@ -1519,6 +1520,9 @@ static int dn_cache_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, void | |||
| 1519 | struct sk_buff *skb; | 1520 | struct sk_buff *skb; |
| 1520 | struct flowi fl; | 1521 | struct flowi fl; |
| 1521 | 1522 | ||
| 1523 | if (net != &init_net) | ||
| 1524 | return -EINVAL; | ||
| 1525 | |||
| 1522 | memset(&fl, 0, sizeof(fl)); | 1526 | memset(&fl, 0, sizeof(fl)); |
| 1523 | fl.proto = DNPROTO_NSP; | 1527 | fl.proto = DNPROTO_NSP; |
| 1524 | 1528 | ||
| @@ -1596,10 +1600,14 @@ out_free: | |||
| 1596 | */ | 1600 | */ |
| 1597 | int dn_cache_dump(struct sk_buff *skb, struct netlink_callback *cb) | 1601 | int dn_cache_dump(struct sk_buff *skb, struct netlink_callback *cb) |
| 1598 | { | 1602 | { |
| 1603 | struct net *net = skb->sk->sk_net; | ||
| 1599 | struct dn_route *rt; | 1604 | struct dn_route *rt; |
| 1600 | int h, s_h; | 1605 | int h, s_h; |
| 1601 | int idx, s_idx; | 1606 | int idx, s_idx; |
| 1602 | 1607 | ||
| 1608 | if (net != &init_net) | ||
| 1609 | return 0; | ||
| 1610 | |||
| 1603 | if (NLMSG_PAYLOAD(cb->nlh, 0) < sizeof(struct rtmsg)) | 1611 | if (NLMSG_PAYLOAD(cb->nlh, 0) < sizeof(struct rtmsg)) |
| 1604 | return -EINVAL; | 1612 | return -EINVAL; |
| 1605 | if (!(((struct rtmsg *)NLMSG_DATA(cb->nlh))->rtm_flags&RTM_F_CLONED)) | 1613 | if (!(((struct rtmsg *)NLMSG_DATA(cb->nlh))->rtm_flags&RTM_F_CLONED)) |
diff --git a/net/decnet/dn_table.c b/net/decnet/dn_table.c index fda0772fa215..a3bdb8dd1fb2 100644 --- a/net/decnet/dn_table.c +++ b/net/decnet/dn_table.c | |||
| @@ -463,12 +463,16 @@ static int dn_fib_table_dump(struct dn_fib_table *tb, struct sk_buff *skb, | |||
| 463 | 463 | ||
| 464 | int dn_fib_dump(struct sk_buff *skb, struct netlink_callback *cb) | 464 | int dn_fib_dump(struct sk_buff *skb, struct netlink_callback *cb) |
| 465 | { | 465 | { |
| 466 | struct net *net = skb->sk->sk_net; | ||
| 466 | unsigned int h, s_h; | 467 | unsigned int h, s_h; |
| 467 | unsigned int e = 0, s_e; | 468 | unsigned int e = 0, s_e; |
| 468 | struct dn_fib_table *tb; | 469 | struct dn_fib_table *tb; |
| 469 | struct hlist_node *node; | 470 | struct hlist_node *node; |
| 470 | int dumped = 0; | 471 | int dumped = 0; |
| 471 | 472 | ||
| 473 | if (net != &init_net) | ||
| 474 | return 0; | ||
| 475 | |||
| 472 | if (NLMSG_PAYLOAD(cb->nlh, 0) >= sizeof(struct rtmsg) && | 476 | if (NLMSG_PAYLOAD(cb->nlh, 0) >= sizeof(struct rtmsg) && |
| 473 | ((struct rtmsg *)NLMSG_DATA(cb->nlh))->rtm_flags&RTM_F_CLONED) | 477 | ((struct rtmsg *)NLMSG_DATA(cb->nlh))->rtm_flags&RTM_F_CLONED) |
| 474 | return dn_cache_dump(skb, cb); | 478 | return dn_cache_dump(skb, cb); |