[RH8] ve: Change error code in vz_security_protocol_check to -EPROTONOSUPPORT

Submitted by Valeriy Vdovin on May 18, 2020, 1:53 p.m.

Details

Message ID 1589810001-560244-1-git-send-email-valeriy.vdovin@virtuozzo.com
State New
Series "ve: Change error code in vz_security_protocol_check to -EPROTONOSUPPORT"
Headers show

Commit Message

Valeriy Vdovin May 18, 2020, 1:53 p.m.
'vz_security_protocol_check' is a part of socket creation routine.
Socket creation can be split into separate stages:
 - family validation and family specific object creation
 - protocol validation and protocol specific object creation
First family argument is validated. If family is ok, then the code
can proceeds to further work with protocol agrument.

As part of family validation procedure for containers
vz_security_family_check is called. If family is not supported in
container environment and the current context is container the
function returns with -EAFNOSUPPORT code.

As part of protocol validation procedure for containers
vz_security_protocol_check is called. If protocol is not supported
in container environment and the current context is container the
function CURRENTLY returns with -EAFNOSUPPORT code, although by
context of the current socket preparation step it should instead
return -EPROTONOSUPPORT.

https://jira.sw.ru/browse/PSBM-104225
Signed-off-by: Valeriy Vdovin <valeriy.vdovin@virtuozzo.com>
---
 kernel/ve/ve.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index bf9f06d..a94d9cf 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1059,7 +1059,7 @@  int vz_security_protocol_check(struct net *net, int protocol)
 	case  IPPROTO_SCTP:
 		return 0;
 	default:
-		return -EAFNOSUPPORT;
+		return -EPROTONOSUPPORT;
 	}
 }
 EXPORT_SYMBOL_GPL(vz_security_protocol_check);

Comments

Vasily Averin May 18, 2020, 11:28 p.m.
On 5/18/20 4:53 PM, Valeriy Vdovin wrote:
> 'vz_security_protocol_check' is a part of socket creation routine.
> Socket creation can be split into separate stages:
>  - family validation and family specific object creation
>  - protocol validation and protocol specific object creation
> First family argument is validated. If family is ok, then the code
> can proceeds to further work with protocol agrument.
> 
> As part of family validation procedure for containers
> vz_security_family_check is called. If family is not supported in
> container environment and the current context is container the
> function returns with -EAFNOSUPPORT code.
> 
> As part of protocol validation procedure for containers
> vz_security_protocol_check is called. If protocol is not supported
> in container environment and the current context is container the
> function CURRENTLY returns with -EAFNOSUPPORT code, although by
> context of the current socket preparation step it should instead
> return -EPROTONOSUPPORT.
> 
> https://jira.sw.ru/browse/PSBM-104225
> Signed-off-by: Valeriy Vdovin <valeriy.vdovin@virtuozzo.com>
> ---
>  kernel/ve/ve.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
> index bf9f06d..a94d9cf 100644
> --- a/kernel/ve/ve.c
> +++ b/kernel/ve/ve.c
> @@ -1059,7 +1059,7 @@ int vz_security_protocol_check(struct net *net, int protocol)
>  	case  IPPROTO_SCTP:
>  		return 0;
>  	default:
> -		return -EAFNOSUPPORT;
> +		return -EPROTONOSUPPORT;

I do no like this change:
this check worked well for ages, and is well tested by huge number of tools and application.
and we changes it just to satisfy some new version of _one_ userspace tool, 
which is _not_critical_ for us at all.

Please take look at old related bugs
https://jira.sw.ru/browse/PSBM-37418
https://jira.sw.ru/browse/PSBM-47413

Last one have fixed similar problem by using following hunk, it still present in vz6

@@ -1247,6 +1247,8 @@ int vz_security_protocol_check(int protocol)
 	case  IPPROTO_ESP:
 	case  IPPROTO_AH:
 		break;
+	case  IPPROTO_ICMP:
+		return -EACCES;
 	default:
 		return -EAFNOSUPPORT;
 	}

I think it's better to add similar check for ICMP6 and do not change default error code.

Thank you,
	Vasily Averin