[1/2,RH7] netlink: protect NETLINK_REPAIR2

Submitted by Andrey Zhadchenko on Oct. 29, 2020, 9:36 a.m.

Details

Message ID 1603964161-492231-1-git-send-email-andrey.zhadchenko@virtuozzo.com
State New
Series "Series without cover letter"
Headers show

Commit Message

Andrey Zhadchenko Oct. 29, 2020, 9:36 a.m.
Prevent using netlink repair mode from containers.

Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com>
---
 net/netlink/af_netlink.c | 5 +++++
 1 file changed, 5 insertions(+)

Patch hide | download patch | download mbox

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 7b3de33..dff6e5f 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1529,6 +1529,11 @@  static int netlink_setsockopt(struct socket *sock, int level, int optname,
 
 	switch (optname) {
 	case NETLINK_REPAIR2:
+#ifdef CONFIG_VE
+		if (!ve_is_super(get_exec_env()) &&
+		    !get_exec_env()->is_pseudosuper)
+			return -ENOPROTOOPT;
+#endif
 		if (val)
 			nlk->flags |= NETLINK_F_REPAIR;
 		else