diff options
| author | Denis V. Lunev <den@openvz.org> | 2007-11-30 08:21:31 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:54:24 -0500 |
| commit | b854272b3c732316676e9128f7b9e6f1e1ff88b0 (patch) | |
| tree | c90c74b9ec068453881f1173da4c57d6bb00a7d9 /net/sched/cls_api.c | |
| parent | ad5d20a63940fcfb40af76ba06148f36d5d0b433 (diff) | |
[NET]: Modify all rtnetlink methods to only work in the initial namespace (v2)
Before I can enable rtnetlink to work in all network namespaces I need
to be certain that something won't break. So this patch deliberately
disables all of the rtnletlink methods in everything except the
initial network namespace. After the methods have been audited this
extra check can be disabled.
Changes from v1:
- added IPv6 addrlabel protection
Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'net/sched/cls_api.c')
| -rw-r--r-- | net/sched/cls_api.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index bb98045d5508..fdab6a530bba 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c | |||
| @@ -23,6 +23,8 @@ | |||
| 23 | #include <linux/init.h> | 23 | #include <linux/init.h> |
| 24 | #include <linux/kmod.h> | 24 | #include <linux/kmod.h> |
| 25 | #include <linux/netlink.h> | 25 | #include <linux/netlink.h> |
| 26 | #include <net/net_namespace.h> | ||
| 27 | #include <net/sock.h> | ||
| 26 | #include <net/netlink.h> | 28 | #include <net/netlink.h> |
| 27 | #include <net/pkt_sched.h> | 29 | #include <net/pkt_sched.h> |
| 28 | #include <net/pkt_cls.h> | 30 | #include <net/pkt_cls.h> |
| @@ -119,6 +121,7 @@ static __inline__ u32 tcf_auto_prio(struct tcf_proto *tp) | |||
| 119 | 121 | ||
| 120 | static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n, void *arg) | 122 | static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n, void *arg) |
| 121 | { | 123 | { |
| 124 | struct net *net = skb->sk->sk_net; | ||
| 122 | struct rtattr **tca; | 125 | struct rtattr **tca; |
| 123 | struct tcmsg *t; | 126 | struct tcmsg *t; |
| 124 | u32 protocol; | 127 | u32 protocol; |
| @@ -135,6 +138,9 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n, void *arg) | |||
| 135 | unsigned long fh; | 138 | unsigned long fh; |
| 136 | int err; | 139 | int err; |
| 137 | 140 | ||
| 141 | if (net != &init_net) | ||
| 142 | return -EINVAL; | ||
| 143 | |||
| 138 | replay: | 144 | replay: |
| 139 | tca = arg; | 145 | tca = arg; |
| 140 | t = NLMSG_DATA(n); | 146 | t = NLMSG_DATA(n); |
| @@ -375,6 +381,7 @@ static int tcf_node_dump(struct tcf_proto *tp, unsigned long n, struct tcf_walke | |||
| 375 | 381 | ||
| 376 | static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb) | 382 | static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb) |
| 377 | { | 383 | { |
| 384 | struct net *net = skb->sk->sk_net; | ||
| 378 | int t; | 385 | int t; |
| 379 | int s_t; | 386 | int s_t; |
| 380 | struct net_device *dev; | 387 | struct net_device *dev; |
| @@ -385,6 +392,9 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb) | |||
| 385 | const struct Qdisc_class_ops *cops; | 392 | const struct Qdisc_class_ops *cops; |
| 386 | struct tcf_dump_args arg; | 393 | struct tcf_dump_args arg; |
| 387 | 394 | ||
| 395 | if (net != &init_net) | ||
| 396 | return 0; | ||
| 397 | |||
| 388 | if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm))) | 398 | if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm))) |
| 389 | return skb->len; | 399 | return skb->len; |
| 390 | if ((dev = dev_get_by_index(&init_net, tcm->tcm_ifindex)) == NULL) | 400 | if ((dev = dev_get_by_index(&init_net, tcm->tcm_ifindex)) == NULL) |