[Devel,3/5] netfilter: check per-ve netfilter status on actual operation

Submitted by Stanislav Kinsburskiy on July 21, 2017, 7:23 a.m.

Details

Message ID 20170721072323.15763.12312.stgit@localhost.localdomain
State New
Series "netfilter: rework iptables containerization"
Headers show

Commit Message

Stanislav Kinsburskiy July 21, 2017, 7:23 a.m.
Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
---
 net/ipv4/ip_sockglue.c |    7 +++++++
 1 file changed, 7 insertions(+)

Patch hide | download patch | download mbox

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index bcca7f3..316b477 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1119,6 +1119,10 @@  int ip_setsockopt(struct sock *sk, int level,
 			optname != IP_IPSEC_POLICY &&
 			optname != IP_XFRM_POLICY &&
 			!ip_mroute_opt(optname)) {
+
+		if (!ve_ipt_permitted(net, VE_IP_FILTER))
+			return -EINVAL;
+
 		lock_sock(sk);
 		err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
 		release_sock(sk);
@@ -1424,6 +1428,9 @@  int ip_getsockopt(struct sock *sk, int level,
 		if (get_user(len, optlen))
 			return -EFAULT;
 
+		if (!ve_ipt_permitted(net, VE_IP_FILTER))
+			return -ENOENT;
+
 		lock_sock(sk);
 		err = nf_getsockopt(sk, PF_INET, optname, optval,
 				&len);

Comments

Andrey Ryabinin July 21, 2017, 10:50 a.m.
On 07/21/2017 10:23 AM, Stanislav Kinsburskiy wrote:
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
> ---
>  net/ipv4/ip_sockglue.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> index bcca7f3..316b477 100644
> --- a/net/ipv4/ip_sockglue.c
> +++ b/net/ipv4/ip_sockglue.c
> @@ -1119,6 +1119,10 @@ int ip_setsockopt(struct sock *sk, int level,
>  			optname != IP_IPSEC_POLICY &&
>  			optname != IP_XFRM_POLICY &&
>  			!ip_mroute_opt(optname)) {
> +
> +		if (!ve_ipt_permitted(net, VE_IP_FILTER))
> +			return -EINVAL;


EINVAL doesn't look a right choice for the error code here.
I'd say ENOPROTOOPT or maybe EPERM would be better?

> +
>  		lock_sock(sk);
>  		err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
>  		release_sock(sk);
> @@ -1424,6 +1428,9 @@ int ip_getsockopt(struct sock *sk, int level,
>  		if (get_user(len, optlen))
>  			return -EFAULT;
>  
> +		if (!ve_ipt_permitted(net, VE_IP_FILTER))
> +			return -ENOENT;
> +
>  		lock_sock(sk);
>  		err = nf_getsockopt(sk, PF_INET, optname, optval,
>  				&len);
> 
> _______________________________________________
> Devel mailing list
> Devel@openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>
Stanislav Kinsburskiy July 21, 2017, 12:04 p.m.
21.07.2017 12:50, Andrey Ryabinin пишет:
> 
> 
> On 07/21/2017 10:23 AM, Stanislav Kinsburskiy wrote:
>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>> ---
>>  net/ipv4/ip_sockglue.c |    7 +++++++
>>  1 file changed, 7 insertions(+)
>>
>> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
>> index bcca7f3..316b477 100644
>> --- a/net/ipv4/ip_sockglue.c
>> +++ b/net/ipv4/ip_sockglue.c
>> @@ -1119,6 +1119,10 @@ int ip_setsockopt(struct sock *sk, int level,
>>  			optname != IP_IPSEC_POLICY &&
>>  			optname != IP_XFRM_POLICY &&
>>  			!ip_mroute_opt(optname)) {
>> +
>> +		if (!ve_ipt_permitted(net, VE_IP_FILTER))
>> +			return -EINVAL;
> 
> 
> EINVAL doesn't look a right choice for the error code here.
> I'd say ENOPROTOOPT or maybe EPERM would be better?
> 

Agreed. ENOPROTOOPT looks better. Will do.

>> +
>>  		lock_sock(sk);
>>  		err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
>>  		release_sock(sk);
>> @@ -1424,6 +1428,9 @@ int ip_getsockopt(struct sock *sk, int level,
>>  		if (get_user(len, optlen))
>>  			return -EFAULT;
>>  
>> +		if (!ve_ipt_permitted(net, VE_IP_FILTER))
>> +			return -ENOENT;
>> +
>>  		lock_sock(sk);
>>  		err = nf_getsockopt(sk, PF_INET, optname, optval,
>>  				&len);
>>
>> _______________________________________________
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>