[NET]: Modify all rtnetlink methods to only work in the initial namespace (v2)

Before I can enable rtnetlink to work in all network namespaces I need
to be certain that something won't break.  So this patch deliberately
disables all of the rtnletlink methods in everything except the
initial network namespace.  After the methods have been audited this
extra check can be disabled.

Changes from v1:
- added IPv6 addrlabel protection

Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

1 files changed, 21 insertions, 0 deletions

diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 259321be1ad8..f30e3f7ad885 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -29,6 +29,7 @@
 #include <linux/hrtimer.h>
 
 #include <net/net_namespace.h>
+#include <net/sock.h>
 #include <net/netlink.h>
 #include <net/pkt_sched.h>
 
@@ -599,6 +600,7 @@ check_loop_fn(struct Qdisc *q, unsigned long cl, struct qdisc_walker *w)
 
 static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 {
+        struct net *net = skb->sk->sk_net;
         struct tcmsg *tcm = NLMSG_DATA(n);
         struct rtattr **tca = arg;
         struct net_device *dev;
@@ -607,6 +609,9 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
         struct Qdisc *p = NULL;
         int err;
 
+        if (net != &init_net)
+                return -EINVAL;
+
         if ((dev = __dev_get_by_index(&init_net, tcm->tcm_ifindex)) == NULL)
                 return -ENODEV;
 
@@ -660,6 +665,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 
 static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 {
+        struct net *net = skb->sk->sk_net;
         struct tcmsg *tcm;
         struct rtattr **tca;
         struct net_device *dev;
@@ -667,6 +673,9 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
         struct Qdisc *q, *p;
         int err;
 
+        if (net != &init_net)
+                return -EINVAL;
+
 replay:
         /* Reinit, just in case something touches this. */
         tcm = NLMSG_DATA(n);
@@ -872,11 +881,15 @@ err_out:
 
 static int tc_dump_qdisc(struct sk_buff *skb, struct netlink_callback *cb)
 {
+        struct net *net = skb->sk->sk_net;
         int idx, q_idx;
         int s_idx, s_q_idx;
         struct net_device *dev;
         struct Qdisc *q;
 
+        if (net != &init_net)
+                return 0;
+
         s_idx = cb->args[0];
         s_q_idx = q_idx = cb->args[1];
         read_lock(&dev_base_lock);
@@ -920,6 +933,7 @@ done:
 
 static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 {
+        struct net *net = skb->sk->sk_net;
         struct tcmsg *tcm = NLMSG_DATA(n);
         struct rtattr **tca = arg;
         struct net_device *dev;
@@ -932,6 +946,9 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
         u32 qid = TC_H_MAJ(clid);
         int err;
 
+        if (net != &init_net)
+                return -EINVAL;
+
         if ((dev = __dev_get_by_index(&init_net, tcm->tcm_ifindex)) == NULL)
                 return -ENODEV;
 
@@ -1106,6 +1123,7 @@ static int qdisc_class_dump(struct Qdisc *q, unsigned long cl, struct qdisc_walk
 
 static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb)
 {
+        struct net *net = skb->sk->sk_net;
         int t;
         int s_t;
         struct net_device *dev;
@@ -1113,6 +1131,9 @@ static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb)
         struct tcmsg *tcm = (struct tcmsg*)NLMSG_DATA(cb->nlh);
         struct qdisc_dump_args arg;
 
+        if (net != &init_net)
+                return 0;
+
         if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm)))
                 return 0;
         if ((dev = dev_get_by_index(&init_net, tcm->tcm_ifindex)) == NULL)