[RHEL8,COMMIT] netlink: protect NETLINK_REPAIR

Submitted by Konstantin Khorenko on Dec. 21, 2020, 3:51 p.m.

Details

Message ID 202012211551.0BLFpVZA226441@finist-co8.sw.ru
State New
Series "Series without cover letter"
Headers show

Commit Message

Konstantin Khorenko Dec. 21, 2020, 3:51 p.m.
The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.3
------>
commit 0ba63537137941826825b89fd7d6540b00c85357
Author: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com>
Date:   Mon Dec 21 18:51:30 2020 +0300

    netlink: protect NETLINK_REPAIR
    
    Prevent using netlink repair mode from containers.
    
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko@virtuozzo.com>
---
 net/netlink/af_netlink.c | 7 +++++++
 1 file changed, 7 insertions(+)

Patch hide | download patch | download mbox

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 3cfef64bb28c..9889446b9653 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1672,6 +1672,13 @@  static int netlink_setsockopt(struct socket *sock, int level, int optname,
 
 	switch (optname) {
 	case NETLINK_REPAIR:
+#ifdef CONFIG_VE
+		{
+			struct ve_struct *ve = get_exec_env();
+			if (!ve_is_super(ve) && !ve->is_pseudosuper)
+				return -ENOPROTOOPT;
+		}
+#endif
 		if (val)
 			nlk->flags |= NETLINK_F_REPAIR;
 		else