[Devel,VZ7,3/3] netlink: allow messages with family PF_BRIDGE type RTM_xxxNEIGH in CT

Submitted by Pavel Tikhomirov on Oct. 27, 2016, 3:50 p.m.

Details

Message ID 1477583417-13088-1-git-send-email-ptikhomirov@virtuozzo.com
State New
Series "Series without cover letter"
Headers show

Commit Message

Pavel Tikhomirov Oct. 27, 2016, 3:50 p.m.
While reproducing the problem mentioned in patch 1 I found that
we need it to be able to configure vxlan fdb

https://jira.sw.ru/browse/PSBM-53629
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 include/linux/ve.h   |  4 ++--
 kernel/ve/ve.c       | 11 ++++++++++-
 net/core/rtnetlink.c |  4 ++--
 net/socket.c         |  2 +-
 4 files changed, 15 insertions(+), 6 deletions(-)

Patch hide | download patch | download mbox

diff --git a/include/linux/ve.h b/include/linux/ve.h
index ad40726..edff7e4 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -160,7 +160,7 @@  extern struct kobject * kobject_create_and_add_ve(const char *name,
 
 extern struct kmapset_set ve_sysfs_perms;
 
-extern int vz_security_family_check(struct net *net, int family);
+extern int vz_security_family_check(struct net *net, int family, int type);
 extern int vz_security_protocol_check(struct net *net, int protocol);
 
 extern struct task_struct *kthread_create_on_node_ve(struct ve_struct *ve,
@@ -247,7 +247,7 @@  static inline void ve_mount_nr_dec(void)
 
 #define ve_uevent_seqnum uevent_seqnum
 
-static inline int vz_security_family_check(struct net *net, int family) { return 0; }
+static inline int vz_security_family_check(struct net *net, int family, int type) { return 0; }
 static inline int vz_security_protocol_check(struct net *net, int protocol) { return 0; }
 
 #define ve_utsname	system_utsname
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 8afff3d..df42759 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -41,6 +41,7 @@ 
 #include <uapi/linux/vzcalluser.h>
 #include <linux/venet.h>
 #include <linux/vziptable_defs.h>
+#include <net/rtnetlink.h>
 
 static struct kmem_cache *ve_cachep;
 
@@ -180,7 +181,7 @@  EXPORT_SYMBOL(get_ve_by_id);
 EXPORT_SYMBOL(ve_list_lock);
 EXPORT_SYMBOL(ve_list_head);
 
-int vz_security_family_check(struct net *net, int family)
+int vz_security_family_check(struct net *net, int family, int type)
 {
 	if (ve_is_super(net->owner_ve))
 		return 0;
@@ -195,6 +196,14 @@  int vz_security_family_check(struct net *net, int family)
 	case PF_PPPOX:
 	case PF_KEY:
 		return 0;
+	case PF_BRIDGE:
+		if (type)
+			switch (type) {
+				case RTM_NEWNEIGH:
+				case RTM_DELNEIGH:
+				case RTM_GETNEIGH:
+					return 0;
+			}
 	default:
 		return -EAFNOSUPPORT;
 	}
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 8e72446..1ba3a9d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2325,7 +2325,7 @@  static int rtnl_dump_all(struct sk_buff *skb, struct netlink_callback *cb)
 		if (rtnl_msg_handlers[idx] == NULL ||
 		    rtnl_msg_handlers[idx][type].dumpit == NULL)
 			continue;
-		if (vz_security_family_check(net, idx))
+		if (vz_security_family_check(net, idx, cb->nlh->nlmsg_type))
 			continue;
 		if (idx > s_idx) {
 			memset(&cb->args[0], 0, sizeof(cb->args));
@@ -3040,7 +3040,7 @@  static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		return 0;
 
 	family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
-	if (vz_security_family_check(net, family))
+	if (vz_security_family_check(net, family, nlh->nlmsg_type))
 		return -EAFNOSUPPORT;
 
 	sz_idx = type>>2;
diff --git a/net/socket.c b/net/socket.c
index 7ec5de5..bb96466 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1264,7 +1264,7 @@  int __sock_create(struct net *net, int family, int type, int protocol,
 	}
 
 	/* VZ compatibility layer */
-	err = vz_security_family_check(net, family);
+	err = vz_security_family_check(net, family, 0);
 	if (err < 0)
 		return err;
 

Comments

Andrey Vagin Nov. 22, 2016, 11:34 p.m.
On Thu, Oct 27, 2016 at 06:50:17PM +0300, Pavel Tikhomirov wrote:
> While reproducing the problem mentioned in patch 1 I found that
> we need it to be able to configure vxlan fdb
> 
> https://jira.sw.ru/browse/PSBM-53629
> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
> ---
>  include/linux/ve.h   |  4 ++--
>  kernel/ve/ve.c       | 11 ++++++++++-
>  net/core/rtnetlink.c |  4 ++--
>  net/socket.c         |  2 +-
>  4 files changed, 15 insertions(+), 6 deletions(-)
> 
> diff --git a/include/linux/ve.h b/include/linux/ve.h
> index ad40726..edff7e4 100644
> --- a/include/linux/ve.h
> +++ b/include/linux/ve.h
> @@ -160,7 +160,7 @@ extern struct kobject * kobject_create_and_add_ve(const char *name,
>  
>  extern struct kmapset_set ve_sysfs_perms;
>  
> -extern int vz_security_family_check(struct net *net, int family);
> +extern int vz_security_family_check(struct net *net, int family, int type);
>  extern int vz_security_protocol_check(struct net *net, int protocol);
>  
>  extern struct task_struct *kthread_create_on_node_ve(struct ve_struct *ve,
> @@ -247,7 +247,7 @@ static inline void ve_mount_nr_dec(void)
>  
>  #define ve_uevent_seqnum uevent_seqnum
>  
> -static inline int vz_security_family_check(struct net *net, int family) { return 0; }
> +static inline int vz_security_family_check(struct net *net, int family, int type) { return 0; }
>  static inline int vz_security_protocol_check(struct net *net, int protocol) { return 0; }
>  
>  #define ve_utsname	system_utsname
> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
> index 8afff3d..df42759 100644
> --- a/kernel/ve/ve.c
> +++ b/kernel/ve/ve.c
> @@ -41,6 +41,7 @@
>  #include <uapi/linux/vzcalluser.h>
>  #include <linux/venet.h>
>  #include <linux/vziptable_defs.h>
> +#include <net/rtnetlink.h>
>  
>  static struct kmem_cache *ve_cachep;
>  
> @@ -180,7 +181,7 @@ EXPORT_SYMBOL(get_ve_by_id);
>  EXPORT_SYMBOL(ve_list_lock);
>  EXPORT_SYMBOL(ve_list_head);
>  
> -int vz_security_family_check(struct net *net, int family)
> +int vz_security_family_check(struct net *net, int family, int type)

Do you know why we need vz_security_family_check() in rhel7?

>  {
>  	if (ve_is_super(net->owner_ve))
>  		return 0;
> @@ -195,6 +196,14 @@ int vz_security_family_check(struct net *net, int family)
>  	case PF_PPPOX:
>  	case PF_KEY:
>  		return 0;
> +	case PF_BRIDGE:
> +		if (type)
> +			switch (type) {
> +				case RTM_NEWNEIGH:
> +				case RTM_DELNEIGH:
> +				case RTM_GETNEIGH:
> +					return 0;
> +			}
>  	default:
>  		return -EAFNOSUPPORT;
>  	}
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 8e72446..1ba3a9d 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -2325,7 +2325,7 @@ static int rtnl_dump_all(struct sk_buff *skb, struct netlink_callback *cb)
>  		if (rtnl_msg_handlers[idx] == NULL ||
>  		    rtnl_msg_handlers[idx][type].dumpit == NULL)
>  			continue;
> -		if (vz_security_family_check(net, idx))
> +		if (vz_security_family_check(net, idx, cb->nlh->nlmsg_type))
>  			continue;
>  		if (idx > s_idx) {
>  			memset(&cb->args[0], 0, sizeof(cb->args));
> @@ -3040,7 +3040,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  		return 0;
>  
>  	family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
> -	if (vz_security_family_check(net, family))
> +	if (vz_security_family_check(net, family, nlh->nlmsg_type))
>  		return -EAFNOSUPPORT;
>  
>  	sz_idx = type>>2;
> diff --git a/net/socket.c b/net/socket.c
> index 7ec5de5..bb96466 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -1264,7 +1264,7 @@ int __sock_create(struct net *net, int family, int type, int protocol,
>  	}
>  
>  	/* VZ compatibility layer */
> -	err = vz_security_family_check(net, family);
> +	err = vz_security_family_check(net, family, 0);
>  	if (err < 0)
>  		return err;
>  
> -- 
> 2.7.4
>
Pavel Tikhomirov Nov. 23, 2016, 7:06 a.m.
On 11/23/2016 02:34 AM, Andrew Vagin wrote:
> On Thu, Oct 27, 2016 at 06:50:17PM +0300, Pavel Tikhomirov wrote:
>> While reproducing the problem mentioned in patch 1 I found that
>> we need it to be able to configure vxlan fdb
>>
>> https://jira.sw.ru/browse/PSBM-53629
>> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
>> ---
>>  include/linux/ve.h   |  4 ++--
>>  kernel/ve/ve.c       | 11 ++++++++++-
>>  net/core/rtnetlink.c |  4 ++--
>>  net/socket.c         |  2 +-
>>  4 files changed, 15 insertions(+), 6 deletions(-)
>>
>> diff --git a/include/linux/ve.h b/include/linux/ve.h
>> index ad40726..edff7e4 100644
>> --- a/include/linux/ve.h
>> +++ b/include/linux/ve.h
>> @@ -160,7 +160,7 @@ extern struct kobject * kobject_create_and_add_ve(const char *name,
>>
>>  extern struct kmapset_set ve_sysfs_perms;
>>
>> -extern int vz_security_family_check(struct net *net, int family);
>> +extern int vz_security_family_check(struct net *net, int family, int type);
>>  extern int vz_security_protocol_check(struct net *net, int protocol);
>>
>>  extern struct task_struct *kthread_create_on_node_ve(struct ve_struct *ve,
>> @@ -247,7 +247,7 @@ static inline void ve_mount_nr_dec(void)
>>
>>  #define ve_uevent_seqnum uevent_seqnum
>>
>> -static inline int vz_security_family_check(struct net *net, int family) { return 0; }
>> +static inline int vz_security_family_check(struct net *net, int family, int type) { return 0; }
>>  static inline int vz_security_protocol_check(struct net *net, int protocol) { return 0; }
>>
>>  #define ve_utsname	system_utsname
>> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
>> index 8afff3d..df42759 100644
>> --- a/kernel/ve/ve.c
>> +++ b/kernel/ve/ve.c
>> @@ -41,6 +41,7 @@
>>  #include <uapi/linux/vzcalluser.h>
>>  #include <linux/venet.h>
>>  #include <linux/vziptable_defs.h>
>> +#include <net/rtnetlink.h>
>>
>>  static struct kmem_cache *ve_cachep;
>>
>> @@ -180,7 +181,7 @@ EXPORT_SYMBOL(get_ve_by_id);
>>  EXPORT_SYMBOL(ve_list_lock);
>>  EXPORT_SYMBOL(ve_list_head);
>>
>> -int vz_security_family_check(struct net *net, int family)
>> +int vz_security_family_check(struct net *net, int family, int type)
>
> Do you know why we need vz_security_family_check() in rhel7?

That is whitelist of protocols we support in VE, we need to 
virtualize(or atleast check) all protocols we want to allow here.

>
>>  {
>>  	if (ve_is_super(net->owner_ve))
>>  		return 0;
>> @@ -195,6 +196,14 @@ int vz_security_family_check(struct net *net, int family)
>>  	case PF_PPPOX:
>>  	case PF_KEY:
>>  		return 0;
>> +	case PF_BRIDGE:
>> +		if (type)
>> +			switch (type) {
>> +				case RTM_NEWNEIGH:
>> +				case RTM_DELNEIGH:
>> +				case RTM_GETNEIGH:
>> +					return 0;
>> +			}
>>  	default:
>>  		return -EAFNOSUPPORT;
>>  	}
>> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
>> index 8e72446..1ba3a9d 100644
>> --- a/net/core/rtnetlink.c
>> +++ b/net/core/rtnetlink.c
>> @@ -2325,7 +2325,7 @@ static int rtnl_dump_all(struct sk_buff *skb, struct netlink_callback *cb)
>>  		if (rtnl_msg_handlers[idx] == NULL ||
>>  		    rtnl_msg_handlers[idx][type].dumpit == NULL)
>>  			continue;
>> -		if (vz_security_family_check(net, idx))
>> +		if (vz_security_family_check(net, idx, cb->nlh->nlmsg_type))
>>  			continue;
>>  		if (idx > s_idx) {
>>  			memset(&cb->args[0], 0, sizeof(cb->args));
>> @@ -3040,7 +3040,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>>  		return 0;
>>
>>  	family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
>> -	if (vz_security_family_check(net, family))
>> +	if (vz_security_family_check(net, family, nlh->nlmsg_type))
>>  		return -EAFNOSUPPORT;
>>
>>  	sz_idx = type>>2;
>> diff --git a/net/socket.c b/net/socket.c
>> index 7ec5de5..bb96466 100644
>> --- a/net/socket.c
>> +++ b/net/socket.c
>> @@ -1264,7 +1264,7 @@ int __sock_create(struct net *net, int family, int type, int protocol,
>>  	}
>>
>>  	/* VZ compatibility layer */
>> -	err = vz_security_family_check(net, family);
>> +	err = vz_security_family_check(net, family, 0);
>>  	if (err < 0)
>>  		return err;
>>
>> --
>> 2.7.4
>>