diff options
| author | Denis V. Lunev <den@openvz.org> | 2007-11-30 08:21:31 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:54:24 -0500 |
| commit | b854272b3c732316676e9128f7b9e6f1e1ff88b0 (patch) | |
| tree | c90c74b9ec068453881f1173da4c57d6bb00a7d9 /net/ipv4 | |
| parent | ad5d20a63940fcfb40af76ba06148f36d5d0b433 (diff) | |
[NET]: Modify all rtnetlink methods to only work in the initial namespace (v2)
Before I can enable rtnetlink to work in all network namespaces I need
to be certain that something won't break. So this patch deliberately
disables all of the rtnletlink methods in everything except the
initial network namespace. After the methods have been audited this
extra check can be disabled.
Changes from v1:
- added IPv6 addrlabel protection
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/devinet.c | 12 | ||||
| -rw-r--r-- | net/ipv4/fib_frontend.c | 12 | ||||
| -rw-r--r-- | net/ipv4/route.c | 4 |
3 files changed, 28 insertions, 0 deletions
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index b42f74617bac..c0eb26a0d0bc 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c | |||
| @@ -441,6 +441,7 @@ struct in_ifaddr *inet_ifa_byprefix(struct in_device *in_dev, __be32 prefix, | |||
| 441 | 441 | ||
| 442 | static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | 442 | static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) |
| 443 | { | 443 | { |
| 444 | struct net *net = skb->sk->sk_net; | ||
| 444 | struct nlattr *tb[IFA_MAX+1]; | 445 | struct nlattr *tb[IFA_MAX+1]; |
| 445 | struct in_device *in_dev; | 446 | struct in_device *in_dev; |
| 446 | struct ifaddrmsg *ifm; | 447 | struct ifaddrmsg *ifm; |
| @@ -449,6 +450,9 @@ static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg | |||
| 449 | 450 | ||
| 450 | ASSERT_RTNL(); | 451 | ASSERT_RTNL(); |
| 451 | 452 | ||
| 453 | if (net != &init_net) | ||
| 454 | return -EINVAL; | ||
| 455 | |||
| 452 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy); | 456 | err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy); |
| 453 | if (err < 0) | 457 | if (err < 0) |
| 454 | goto errout; | 458 | goto errout; |
| @@ -560,10 +564,14 @@ errout: | |||
| 560 | 564 | ||
| 561 | static int inet_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) | 565 | static int inet_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg) |
| 562 | { | 566 | { |
| 567 | struct net *net = skb->sk->sk_net; | ||
| 563 | struct in_ifaddr *ifa; | 568 | struct in_ifaddr *ifa; |
| 564 | 569 | ||
| 565 | ASSERT_RTNL(); | 570 | ASSERT_RTNL(); |
| 566 | 571 | ||
| 572 | if (net != &init_net) | ||
| 573 | return -EINVAL; | ||
| 574 | |||
| 567 | ifa = rtm_to_ifaddr(nlh); | 575 | ifa = rtm_to_ifaddr(nlh); |
| 568 | if (IS_ERR(ifa)) | 576 | if (IS_ERR(ifa)) |
| 569 | return PTR_ERR(ifa); | 577 | return PTR_ERR(ifa); |
| @@ -1174,12 +1182,16 @@ nla_put_failure: | |||
| 1174 | 1182 | ||
| 1175 | static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) | 1183 | static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) |
| 1176 | { | 1184 | { |
| 1185 | struct net *net = skb->sk->sk_net; | ||
| 1177 | int idx, ip_idx; | 1186 | int idx, ip_idx; |
| 1178 | struct net_device *dev; | 1187 | struct net_device *dev; |
| 1179 | struct in_device *in_dev; | 1188 | struct in_device *in_dev; |
| 1180 | struct in_ifaddr *ifa; | 1189 | struct in_ifaddr *ifa; |
| 1181 | int s_ip_idx, s_idx = cb->args[0]; | 1190 | int s_ip_idx, s_idx = cb->args[0]; |
| 1182 | 1191 | ||
| 1192 | if (net != &init_net) | ||
| 1193 | return 0; | ||
| 1194 | |||
| 1183 | s_ip_idx = ip_idx = cb->args[1]; | 1195 | s_ip_idx = ip_idx = cb->args[1]; |
| 1184 | idx = 0; | 1196 | idx = 0; |
| 1185 | for_each_netdev(&init_net, dev) { | 1197 | for_each_netdev(&init_net, dev) { |
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 97abf934d185..e02aba5fa136 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c | |||
| @@ -538,10 +538,14 @@ errout: | |||
| 538 | 538 | ||
| 539 | static int inet_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | 539 | static int inet_rtm_delroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) |
| 540 | { | 540 | { |
| 541 | struct net *net = skb->sk->sk_net; | ||
| 541 | struct fib_config cfg; | 542 | struct fib_config cfg; |
| 542 | struct fib_table *tb; | 543 | struct fib_table *tb; |
| 543 | int err; | 544 | int err; |
| 544 | 545 | ||
| 546 | if (net != &init_net) | ||
| 547 | return -EINVAL; | ||
| 548 | |||
| 545 | err = rtm_to_fib_config(skb, nlh, &cfg); | 549 | err = rtm_to_fib_config(skb, nlh, &cfg); |
| 546 | if (err < 0) | 550 | if (err < 0) |
| 547 | goto errout; | 551 | goto errout; |
| @@ -559,10 +563,14 @@ errout: | |||
| 559 | 563 | ||
| 560 | static int inet_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | 564 | static int inet_rtm_newroute(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) |
| 561 | { | 565 | { |
| 566 | struct net *net = skb->sk->sk_net; | ||
| 562 | struct fib_config cfg; | 567 | struct fib_config cfg; |
| 563 | struct fib_table *tb; | 568 | struct fib_table *tb; |
| 564 | int err; | 569 | int err; |
| 565 | 570 | ||
| 571 | if (net != &init_net) | ||
| 572 | return -EINVAL; | ||
| 573 | |||
| 566 | err = rtm_to_fib_config(skb, nlh, &cfg); | 574 | err = rtm_to_fib_config(skb, nlh, &cfg); |
| 567 | if (err < 0) | 575 | if (err < 0) |
| 568 | goto errout; | 576 | goto errout; |
| @@ -580,12 +588,16 @@ errout: | |||
| 580 | 588 | ||
| 581 | static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) | 589 | static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) |
| 582 | { | 590 | { |
| 591 | struct net *net = skb->sk->sk_net; | ||
| 583 | unsigned int h, s_h; | 592 | unsigned int h, s_h; |
| 584 | unsigned int e = 0, s_e; | 593 | unsigned int e = 0, s_e; |
| 585 | struct fib_table *tb; | 594 | struct fib_table *tb; |
| 586 | struct hlist_node *node; | 595 | struct hlist_node *node; |
| 587 | int dumped = 0; | 596 | int dumped = 0; |
| 588 | 597 | ||
| 598 | if (net != &init_net) | ||
| 599 | return 0; | ||
| 600 | |||
| 589 | if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) && | 601 | if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) && |
| 590 | ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED) | 602 | ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED) |
| 591 | return ip_rt_dump(skb, cb); | 603 | return ip_rt_dump(skb, cb); |
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index a21021bf1409..1d2839571d2f 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c | |||
| @@ -2527,6 +2527,7 @@ nla_put_failure: | |||
| 2527 | 2527 | ||
| 2528 | static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg) | 2528 | static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg) |
| 2529 | { | 2529 | { |
| 2530 | struct net *net = in_skb->sk->sk_net; | ||
| 2530 | struct rtmsg *rtm; | 2531 | struct rtmsg *rtm; |
| 2531 | struct nlattr *tb[RTA_MAX+1]; | 2532 | struct nlattr *tb[RTA_MAX+1]; |
| 2532 | struct rtable *rt = NULL; | 2533 | struct rtable *rt = NULL; |
| @@ -2536,6 +2537,9 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void | |||
| 2536 | int err; | 2537 | int err; |
| 2537 | struct sk_buff *skb; | 2538 | struct sk_buff *skb; |
| 2538 | 2539 | ||
| 2540 | if (net != &init_net) | ||
| 2541 | return -EINVAL; | ||
| 2542 | |||
| 2539 | err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv4_policy); | 2543 | err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv4_policy); |
| 2540 | if (err < 0) | 2544 | if (err < 0) |
| 2541 | goto errout; | 2545 | goto errout; |