[rh7] ve/net/core: allow to call setsockopt(SO_SNDBUFFORCE) from Containers

Submitted by Konstantin Khorenko on Oct. 24, 2019, 4:06 p.m.

Details

Message ID 20191024160620.3202-1-khorenko@virtuozzo.com
State New
Series "ve/net/core: allow to call setsockopt(SO_SNDBUFFORCE) from Containers"
Headers show

Commit Message

Konstantin Khorenko Oct. 24, 2019, 4:06 p.m.
"nft" util (in CentOS 8 environment) does use setsockopt(SO_SNDBUFFORCE)
unconditionally, so we have to allow it from inside a Container.

At the same time we don't want to allow a Container to set too much
memory for a socket, so just threat SO_SNDBUFFORCE like SO_SNDBUF if
called inside a Container.

Simple rule to test:
 # nft add rule filter INPUT ct state related,established accept

https://jira.sw.ru/browse/PSBM-98794

Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 net/core/sock.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/net/core/sock.c b/net/core/sock.c
index e3462cf37649..e56100a6f0d7 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -757,6 +757,7 @@  int sock_setsockopt(struct socket *sock, int level, int optname,
 		sock_valbool_flag(sk, SOCK_BROADCAST, valbool);
 		break;
 	case SO_SNDBUF:
+unpriv_sndbuf:
 		/* Don't error on this BSD doesn't and if you think
 		 * about it this is right. Otherwise apps have to
 		 * play 'guess the biggest size' games. RCVBUF/SNDBUF
@@ -775,11 +776,15 @@  int sock_setsockopt(struct socket *sock, int level, int optname,
 		break;
 
 	case SO_SNDBUFFORCE:
-		if (!capable(CAP_NET_ADMIN)) {
+		if (!ve_capable(CAP_NET_ADMIN)) {
 			ret = -EPERM;
 			break;
 		}
 
+		/* nft utility uses this sockopt in CentOS 8 env */
+		if (!ve_is_super(get_exec_env()))
+			goto unpriv_sndbuf;
+
 		/* No negative values (to prevent underflow, as val will be
 		 * multiplied by 2).
 		 */

Comments

Andrey Ryabinin Oct. 25, 2019, 9:05 a.m.
On 10/24/19 7:06 PM, Konstantin Khorenko wrote:
> "nft" util (in CentOS 8 environment) does use setsockopt(SO_SNDBUFFORCE)
> unconditionally, so we have to allow it from inside a Container.
> 
> At the same time we don't want to allow a Container to set too much
> memory for a socket, so just threat SO_SNDBUFFORCE like SO_SNDBUF if
> called inside a Container.
> 
> Simple rule to test:
>  # nft add rule filter INPUT ct state related,established accept
> 
> https://jira.sw.ru/browse/PSBM-98794
> 
> Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
> ---
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>