net: add real socket cookies

A long standing problem in netlink socket dumps is the use
of kernel socket addresses as cookies.

1) It is a security concern.

2) Sockets can be reused quite quickly, so there is
   no guarantee a cookie is used once and identify
   a flow.

3) request sock, establish sock, and timewait socks
   for a given flow have different cookies.

Part of our effort to bring better TCP statistics requires
to switch to a different allocator.

In this patch, I chose to use a per network namespace 64bit generator,
and to use it only in the case a socket needs to be dumped to netlink.
(This might be refined later if needed)

Note that I tried to carry cookies from request sock, to establish sock,
then timewait sockets.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Eric Salo <salo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

5 files changed, 15 insertions, 5 deletions

diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 14d02ea905b6..34581f928afa 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -678,6 +678,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
                 newsk->sk_write_space = sk_stream_write_space;
 
                 newsk->sk_mark = inet_rsk(req)->ir_mark;
+                atomic64_set(&newsk->sk_cookie,
+                             atomic64_read(&inet_rsk(req)->ir_cookie));
 
                 newicsk->icsk_retransmits = 0;
                 newicsk->icsk_backoff     = 0;
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index ac3bfb458afd..29317ff4a007 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -221,12 +221,13 @@ static int inet_csk_diag_fill(struct sock *sk,
                                  user_ns, portid, seq, nlmsg_flags, unlh);
 }
 
-static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
+static int inet_twsk_diag_fill(struct sock *sk,
                                struct sk_buff *skb,
                                const struct inet_diag_req_v2 *req,
                                u32 portid, u32 seq, u16 nlmsg_flags,
                                const struct nlmsghdr *unlh)
 {
+        struct inet_timewait_sock *tw = inet_twsk(sk);
         struct inet_diag_msg *r;
         struct nlmsghdr *nlh;
         s32 tmo;
@@ -247,7 +248,7 @@ static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
         r->idiag_retrans      = 0;
 
         r->id.idiag_if        = tw->tw_bound_dev_if;
-        sock_diag_save_cookie(tw, r->id.idiag_cookie);
+        sock_diag_save_cookie(sk, r->id.idiag_cookie);
 
         r->id.idiag_sport     = tw->tw_sport;
         r->id.idiag_dport     = tw->tw_dport;
@@ -283,7 +284,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
                         const struct nlmsghdr *unlh)
 {
         if (sk->sk_state == TCP_TIME_WAIT)
-                return inet_twsk_diag_fill(inet_twsk(sk), skb, r, portid, seq,
+                return inet_twsk_diag_fill(sk, skb, r, portid, seq,
                                            nlmsg_flags, unlh);
 
         return inet_csk_diag_fill(sk, skb, r, user_ns, portid, seq,
@@ -675,7 +676,7 @@ static int inet_twsk_diag_dump(struct sock *sk,
         if (!inet_diag_bc_sk(bc, sk))
                 return 0;
 
-        return inet_twsk_diag_fill(inet_twsk(sk), skb, r,
+        return inet_twsk_diag_fill(sk, skb, r,
                                    NETLINK_CB(cb->skb).portid,
                                    cb->nlh->nlmsg_seq, NLM_F_MULTI, cb->nlh);
 }
@@ -734,7 +735,10 @@ static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk,
         r->idiag_retrans = req->num_retrans;
 
         r->id.idiag_if = sk->sk_bound_dev_if;
-        sock_diag_save_cookie(req, r->id.idiag_cookie);
+
+        BUILD_BUG_ON(offsetof(struct inet_request_sock, ir_cookie) !=
+                     offsetof(struct sock, sk_cookie));
+        sock_diag_save_cookie((struct sock *)ireq, r->id.idiag_cookie);
 
         tmo = req->expires - jiffies;
         if (tmo < 0)
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index 6d592f8555fb..2bd980526631 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -195,6 +195,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, const int stat
                 tw->tw_ipv6only     = 0;
                 tw->tw_transparent  = inet->transparent;
                 tw->tw_prot         = sk->sk_prot_creator;
+                atomic64_set(&tw->tw_cookie, atomic64_read(&sk->sk_cookie));
                 twsk_net_set(tw, hold_net(sock_net(sk)));
                 /*
                  * Because we use RCU lookups, we should not set tw_refcnt
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 45fe60c5238e..ece31b426013 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -346,6 +346,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
         req->ts_recent          = tcp_opt.saw_tstamp ? tcp_opt.rcv_tsval : 0;
         treq->snt_synack        = tcp_opt.saw_tstamp ? tcp_opt.rcv_tsecr : 0;
         treq->listener          = NULL;
+        ireq->ireq_net          = sock_net(sk);
 
         /* We throwed the options of the initial SYN away, so we hope
          * the ACK carries the same options again (see RFC1122 4.2.3.8)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index fb4cf8b8e121..d7045f5f6ebf 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5965,6 +5965,8 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
 
         tmp_opt.tstamp_ok = tmp_opt.saw_tstamp;
         tcp_openreq_init(req, &tmp_opt, skb, sk);
+        inet_rsk(req)->ireq_net = sock_net(sk);
+        atomic64_set(&inet_rsk(req)->ir_cookie, 0);
 
         af_ops->init_req(req, sk, skb);