| Message ID | 20170721072323.15763.12312.stgit@localhost.localdomain |
|---|---|
| State | New |
| Series | "netfilter: rework iptables containerization" |
| Headers | show |
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index bcca7f3..316b477 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -1119,6 +1119,10 @@ int ip_setsockopt(struct sock *sk, int level, optname != IP_IPSEC_POLICY && optname != IP_XFRM_POLICY && !ip_mroute_opt(optname)) { + + if (!ve_ipt_permitted(net, VE_IP_FILTER)) + return -EINVAL; + lock_sock(sk); err = nf_setsockopt(sk, PF_INET, optname, optval, optlen); release_sock(sk); @@ -1424,6 +1428,9 @@ int ip_getsockopt(struct sock *sk, int level, if (get_user(len, optlen)) return -EFAULT; + if (!ve_ipt_permitted(net, VE_IP_FILTER)) + return -ENOENT; + lock_sock(sk); err = nf_getsockopt(sk, PF_INET, optname, optval, &len);
On 07/21/2017 10:23 AM, Stanislav Kinsburskiy wrote: > Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com> > --- > net/ipv4/ip_sockglue.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c > index bcca7f3..316b477 100644 > --- a/net/ipv4/ip_sockglue.c > +++ b/net/ipv4/ip_sockglue.c > @@ -1119,6 +1119,10 @@ int ip_setsockopt(struct sock *sk, int level, > optname != IP_IPSEC_POLICY && > optname != IP_XFRM_POLICY && > !ip_mroute_opt(optname)) { > + > + if (!ve_ipt_permitted(net, VE_IP_FILTER)) > + return -EINVAL; EINVAL doesn't look a right choice for the error code here. I'd say ENOPROTOOPT or maybe EPERM would be better? > + > lock_sock(sk); > err = nf_setsockopt(sk, PF_INET, optname, optval, optlen); > release_sock(sk); > @@ -1424,6 +1428,9 @@ int ip_getsockopt(struct sock *sk, int level, > if (get_user(len, optlen)) > return -EFAULT; > > + if (!ve_ipt_permitted(net, VE_IP_FILTER)) > + return -ENOENT; > + > lock_sock(sk); > err = nf_getsockopt(sk, PF_INET, optname, optval, > &len); > > _______________________________________________ > Devel mailing list > Devel@openvz.org > https://lists.openvz.org/mailman/listinfo/devel >
21.07.2017 12:50, Andrey Ryabinin пишет: > > > On 07/21/2017 10:23 AM, Stanislav Kinsburskiy wrote: >> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com> >> --- >> net/ipv4/ip_sockglue.c | 7 +++++++ >> 1 file changed, 7 insertions(+) >> >> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c >> index bcca7f3..316b477 100644 >> --- a/net/ipv4/ip_sockglue.c >> +++ b/net/ipv4/ip_sockglue.c >> @@ -1119,6 +1119,10 @@ int ip_setsockopt(struct sock *sk, int level, >> optname != IP_IPSEC_POLICY && >> optname != IP_XFRM_POLICY && >> !ip_mroute_opt(optname)) { >> + >> + if (!ve_ipt_permitted(net, VE_IP_FILTER)) >> + return -EINVAL; > > > EINVAL doesn't look a right choice for the error code here. > I'd say ENOPROTOOPT or maybe EPERM would be better? > Agreed. ENOPROTOOPT looks better. Will do. >> + >> lock_sock(sk); >> err = nf_setsockopt(sk, PF_INET, optname, optval, optlen); >> release_sock(sk); >> @@ -1424,6 +1428,9 @@ int ip_getsockopt(struct sock *sk, int level, >> if (get_user(len, optlen)) >> return -EFAULT; >> >> + if (!ve_ipt_permitted(net, VE_IP_FILTER)) >> + return -ENOENT; >> + >> lock_sock(sk); >> err = nf_getsockopt(sk, PF_INET, optname, optval, >> &len); >> >> _______________________________________________ >> Devel mailing list >> Devel@openvz.org >> https://lists.openvz.org/mailman/listinfo/devel >>
Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com> --- net/ipv4/ip_sockglue.c | 7 +++++++ 1 file changed, 7 insertions(+)