[NET]: Modify all rtnetlink methods to only work in the initial namespace (v2)

Before I can enable rtnetlink to work in all network namespaces I need to be certain that something won't break. So this patch deliberately disables all of the rtnletlink methods in everything except the initial network namespace. After the methods have been audited this extra check can be disabled. Changes from v1: - added IPv6 addrlabel protection Signed-off-by: Denis V. Lunev <den@openvz.org> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Denis V. Lunev <den@openvz.org> 2007-11-30 08:21:31 -0500
committer: David S. Miller <davem@davemloft.net> 2008-01-28 17:54:24 -0500
commit: b854272b3c732316676e9128f7b9e6f1e1ff88b0 (patch)
tree: c90c74b9ec068453881f1173da4c57d6bb00a7d9 /net/sched
parent: ad5d20a63940fcfb40af76ba06148f36d5d0b433 (diff)
3 files changed, 41 insertions, 0 deletions
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 72cdb0fade20..852829139c67 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -18,6 +18,8 @@
 #include <linux/skbuff.h>
 #include <linux/init.h>
 #include <linux/kmod.h>
+#include <net/net_namespace.h>
+#include <net/sock.h>
 #include <net/sch_generic.h>
 #include <net/act_api.h>
 #include <net/netlink.h>
@@ -924,10 +926,14 @@ done:
 static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 {
+        struct net *net = skb->sk->sk_net;
        struct rtattr **tca = arg;
        u32 pid = skb ? NETLINK_CB(skb).pid : 0;
        int ret = 0, ovr = 0;
+        if (net != &init_net)
+                return -EINVAL;
        if (tca[TCA_ACT_TAB-1] == NULL) {
                printk("tc_ctl_action: received NO action attribs\n");
                return -EINVAL;
@@ -997,6 +1003,7 @@ find_dump_kind(struct nlmsghdr *n)
 static int
 tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb)
 {
+        struct net *net = skb->sk->sk_net;
        struct nlmsghdr *nlh;
        unsigned char *b = skb_tail_pointer(skb);
        struct rtattr *x;
@@ -1006,6 +1013,9 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb)
        struct tcamsg *t = (struct tcamsg *) NLMSG_DATA(cb->nlh);
        struct rtattr *kind = find_dump_kind(cb->nlh);
+        if (net != &init_net)
+                return 0;
        if (kind == NULL) {
                printk("tc_dump_action: action bad kind\n");
                return 0;
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index bb98045d5508..fdab6a530bba 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -23,6 +23,8 @@
 #include <linux/init.h>
 #include <linux/kmod.h>
 #include <linux/netlink.h>
+#include <net/net_namespace.h>
+#include <net/sock.h>
 #include <net/netlink.h>
 #include <net/pkt_sched.h>
 #include <net/pkt_cls.h>
@@ -119,6 +121,7 @@ static __inline__ u32 tcf_auto_prio(struct tcf_proto *tp)
 static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 {
+        struct net *net = skb->sk->sk_net;
        struct rtattr **tca;
        struct tcmsg *t;
        u32 protocol;
@@ -135,6 +138,9 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
        unsigned long fh;
        int err;
+        if (net != &init_net)
+                return -EINVAL;
 replay:
        tca = arg;
        t = NLMSG_DATA(n);
@@ -375,6 +381,7 @@ static int tcf_node_dump(struct tcf_proto *tp, unsigned long n, struct tcf_walke
 static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
 {
+        struct net *net = skb->sk->sk_net;
        int t;
        int s_t;
        struct net_device *dev;
@@ -385,6 +392,9 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
        const struct Qdisc_class_ops *cops;
        struct tcf_dump_args arg;
+        if (net != &init_net)
+                return 0;
        if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm)))
                return skb->len;
        if ((dev = dev_get_by_index(&init_net, tcm->tcm_ifindex)) == NULL)
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 259321be1ad8..f30e3f7ad885 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -29,6 +29,7 @@
 #include <linux/hrtimer.h>
 #include <net/net_namespace.h>
+#include <net/sock.h>
 #include <net/netlink.h>
 #include <net/pkt_sched.h>
@@ -599,6 +600,7 @@ check_loop_fn(struct Qdisc *q, unsigned long cl, struct qdisc_walker *w)
 static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 {
+        struct net *net = skb->sk->sk_net;
        struct tcmsg *tcm = NLMSG_DATA(n);
        struct rtattr **tca = arg;
        struct net_device *dev;
@@ -607,6 +609,9 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
        struct Qdisc *p = NULL;
        int err;
+        if (net != &init_net)
+                return -EINVAL;
        if ((dev = __dev_get_by_index(&init_net, tcm->tcm_ifindex)) == NULL)
                return -ENODEV;
@@ -660,6 +665,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 {
+        struct net *net = skb->sk->sk_net;
        struct tcmsg *tcm;
        struct rtattr **tca;
        struct net_device *dev;
@@ -667,6 +673,9 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
        struct Qdisc *q, *p;
        int err;
+        if (net != &init_net)
+                return -EINVAL;
 replay:
        /* Reinit, just in case something touches this. */
        tcm = NLMSG_DATA(n);
@@ -872,11 +881,15 @@ err_out:
 static int tc_dump_qdisc(struct sk_buff *skb, struct netlink_callback *cb)
 {
+        struct net *net = skb->sk->sk_net;
        int idx, q_idx;
        int s_idx, s_q_idx;
        struct net_device *dev;
        struct Qdisc *q;
+        if (net != &init_net)
+                return 0;
        s_idx = cb->args[0];
        s_q_idx = q_idx = cb->args[1];
        read_lock(&dev_base_lock);
@@ -920,6 +933,7 @@ done:
 static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 {
+        struct net *net = skb->sk->sk_net;
        struct tcmsg *tcm = NLMSG_DATA(n);
        struct rtattr **tca = arg;
        struct net_device *dev;
@@ -932,6 +946,9 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
        u32 qid = TC_H_MAJ(clid);
        int err;
+        if (net != &init_net)
+                return -EINVAL;
        if ((dev = __dev_get_by_index(&init_net, tcm->tcm_ifindex)) == NULL)
                return -ENODEV;
@@ -1106,6 +1123,7 @@ static int qdisc_class_dump(struct Qdisc *q, unsigned long cl, struct qdisc_walk
 static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb)
 {
+        struct net *net = skb->sk->sk_net;
        int t;
        int s_t;
        struct net_device *dev;
@@ -1113,6 +1131,9 @@ static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb)
        struct tcmsg *tcm = (struct tcmsg*)NLMSG_DATA(cb->nlh);
        struct qdisc_dump_args arg;
+        if (net != &init_net)
+                return 0;
        if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm)))
                return 0;
        if ((dev = dev_get_by_index(&init_net, tcm->tcm_ifindex)) == NULL)
author	Denis V. Lunev <den@openvz.org>	2007-11-30 08:21:31 -0500
committer	David S. Miller <davem@davemloft.net>	2008-01-28 17:54:24 -0500
commit	b854272b3c732316676e9128f7b9e6f1e1ff88b0 (patch)
tree	c90c74b9ec068453881f1173da4c57d6bb00a7d9 /net/sched
parent	ad5d20a63940fcfb40af76ba06148f36d5d0b433 (diff)