| Message ID | 1603974140-531494-1-git-send-email-andrey.zhadchenko@virtuozzo.com |
|---|---|
| State | New |
| Series | "Series without cover letter" |
| Headers | show |
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 7b3de33..6c99bca 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1529,6 +1529,13 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname, switch (optname) { case NETLINK_REPAIR2: +#ifdef CONFIG_VE + { + struct ve_struct *ve = get_exec_env(); + if (!ve_is_super(ve) && !ve->is_pseudosuper) + return -ENOPROTOOPT; + } +#endif if (val) nlk->flags |= NETLINK_F_REPAIR; else
For both patches in v2: Reviewed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> On 10/29/20 3:22 PM, Andrey Zhadchenko wrote: > Prevent using netlink repair mode from containers. > > Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com> > --- > > v2: added ve_struct *ve to get rid of second get_exec_env call > > net/netlink/af_netlink.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c > index 7b3de33..6c99bca 100644 > --- a/net/netlink/af_netlink.c > +++ b/net/netlink/af_netlink.c > @@ -1529,6 +1529,13 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname, > > switch (optname) { > case NETLINK_REPAIR2: > +#ifdef CONFIG_VE > + { > + struct ve_struct *ve = get_exec_env(); > + if (!ve_is_super(ve) && !ve->is_pseudosuper) > + return -ENOPROTOOPT; > + } > +#endif > if (val) > nlk->flags |= NETLINK_F_REPAIR; > else >
Prevent using netlink repair mode from containers. Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com> --- v2: added ve_struct *ve to get rid of second get_exec_env call net/netlink/af_netlink.c | 7 +++++++ 1 file changed, 7 insertions(+)