diff options
| author | Denis V. Lunev <den@openvz.org> | 2007-11-30 08:21:31 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:54:24 -0500 |
| commit | b854272b3c732316676e9128f7b9e6f1e1ff88b0 (patch) | |
| tree | c90c74b9ec068453881f1173da4c57d6bb00a7d9 /net/sched/act_api.c | |
| parent | ad5d20a63940fcfb40af76ba06148f36d5d0b433 (diff) | |
[NET]: Modify all rtnetlink methods to only work in the initial namespace (v2)
Before I can enable rtnetlink to work in all network namespaces I need
to be certain that something won't break. So this patch deliberately
disables all of the rtnletlink methods in everything except the
initial network namespace. After the methods have been audited this
extra check can be disabled.
Changes from v1:
- added IPv6 addrlabel protection
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'net/sched/act_api.c')
| -rw-r--r-- | net/sched/act_api.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/net/sched/act_api.c b/net/sched/act_api.c index 72cdb0fade20..852829139c67 100644 --- a/net/sched/act_api.c +++ b/net/sched/act_api.c | |||
| @@ -18,6 +18,8 @@ | |||
| 18 | #include <linux/skbuff.h> | 18 | #include <linux/skbuff.h> |
| 19 | #include <linux/init.h> | 19 | #include <linux/init.h> |
| 20 | #include <linux/kmod.h> | 20 | #include <linux/kmod.h> |
| 21 | #include <net/net_namespace.h> | ||
| 22 | #include <net/sock.h> | ||
| 21 | #include <net/sch_generic.h> | 23 | #include <net/sch_generic.h> |
| 22 | #include <net/act_api.h> | 24 | #include <net/act_api.h> |
| 23 | #include <net/netlink.h> | 25 | #include <net/netlink.h> |
| @@ -924,10 +926,14 @@ done: | |||
| 924 | 926 | ||
| 925 | static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg) | 927 | static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg) |
| 926 | { | 928 | { |
| 929 | struct net *net = skb->sk->sk_net; | ||
| 927 | struct rtattr **tca = arg; | 930 | struct rtattr **tca = arg; |
| 928 | u32 pid = skb ? NETLINK_CB(skb).pid : 0; | 931 | u32 pid = skb ? NETLINK_CB(skb).pid : 0; |
| 929 | int ret = 0, ovr = 0; | 932 | int ret = 0, ovr = 0; |
| 930 | 933 | ||
| 934 | if (net != &init_net) | ||
| 935 | return -EINVAL; | ||
| 936 | |||
| 931 | if (tca[TCA_ACT_TAB-1] == NULL) { | 937 | if (tca[TCA_ACT_TAB-1] == NULL) { |
| 932 | printk("tc_ctl_action: received NO action attribs\n"); | 938 | printk("tc_ctl_action: received NO action attribs\n"); |
| 933 | return -EINVAL; | 939 | return -EINVAL; |
| @@ -997,6 +1003,7 @@ find_dump_kind(struct nlmsghdr *n) | |||
| 997 | static int | 1003 | static int |
| 998 | tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb) | 1004 | tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb) |
| 999 | { | 1005 | { |
| 1006 | struct net *net = skb->sk->sk_net; | ||
| 1000 | struct nlmsghdr *nlh; | 1007 | struct nlmsghdr *nlh; |
| 1001 | unsigned char *b = skb_tail_pointer(skb); | 1008 | unsigned char *b = skb_tail_pointer(skb); |
| 1002 | struct rtattr *x; | 1009 | struct rtattr *x; |
| @@ -1006,6 +1013,9 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 1006 | struct tcamsg *t = (struct tcamsg *) NLMSG_DATA(cb->nlh); | 1013 | struct tcamsg *t = (struct tcamsg *) NLMSG_DATA(cb->nlh); |
| 1007 | struct rtattr *kind = find_dump_kind(cb->nlh); | 1014 | struct rtattr *kind = find_dump_kind(cb->nlh); |
| 1008 | 1015 | ||
| 1016 | if (net != &init_net) | ||
| 1017 | return 0; | ||
| 1018 | |||
| 1009 | if (kind == NULL) { | 1019 | if (kind == NULL) { |
| 1010 | printk("tc_dump_action: action bad kind\n"); | 1020 | printk("tc_dump_action: action bad kind\n"); |
| 1011 | return 0; | 1021 | return 0; |