From patchwork Mon Sep 3 04:37:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 965202 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=brauner.io Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 423cgH0fccz9s2P for ; Mon, 3 Sep 2018 14:39:07 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726956AbeICI5Z (ORCPT ); Mon, 3 Sep 2018 04:57:25 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:43465 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725892AbeICI5Z (ORCPT ); Mon, 3 Sep 2018 04:57:25 -0400 Received: by mail-wr1-f65.google.com with SMTP id k5-v6so16358813wre.10; Sun, 02 Sep 2018 21:39:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=rIaWy0Qzq+GWnOEkPXKykLc5Az4Yb54NGxuSXnl9lzU=; b=lQvEOYAeWGude0lKv6oswoJzSDA/1i+nc9+vSwL0R1nrDk91wiZWSlCEk5PpkgPifb 4QtH4P+uUQ+aXXR/F2SUxqHxvSYBOMCviqEWCxPmpuweIce8Tcxg4pRidxXay+8sY9YJ bK+JMMf0pL4qrJgFXcqZh6U3t2LnokhcKqM4o6FfpxNxfLyKD9Ym4dlw8qSm4NEtm7pm nrATTYSLLU+yCknDobx7VaSBN8w44+RCh6kD82I3Q256ydFJ4Ulo5GiJQtc7o1j/gHiV AUwzQg3/X93b5v9uKKqUc32QbB9LrFNfDyTwMOkCAhaD8TBo+MwMWZ2Sca5DOKxtQjsj 6Vcw== X-Gm-Message-State: APzg51BatRGuAiXbP89p20Fre0VL5SI2w7bjLqeK1liIOG6F+L/DAtFT zfuhvZLi6XN6BRgV1h+nNy2Vpo70IclxxA== X-Google-Smtp-Source: ANB0VdZDDSKF+fCbQ5ABnQxzS/hyxak0eUjoNcF/2XuzxNKsLwkzNrvrIS8aNI7cmxGIQ1WaCjsFsQ== X-Received: by 2002:adf:e30e:: with SMTP id b14-v6mr17410441wrj.158.1535949539451; Sun, 02 Sep 2018 21:38:59 -0700 (PDT) Received: from localhost.localdomain ([88.128.81.0]) by smtp.gmail.com with ESMTPSA id j66-v6sm22453364wrj.28.2018.09.02.21.38.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 02 Sep 2018 21:38:58 -0700 (PDT) From: Christian Brauner To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, pombredanne@nexb.com, kstewart@linuxfoundation.org, gregkh@linuxfoundation.org, dsahern@gmail.com, fw@strlen.de, ktkhai@virtuozzo.com, lucien.xin@gmail.com, jakub.kicinski@netronome.com, jbenc@redhat.com, nicolas.dichtel@6wind.com, Christian Brauner Subject: [PATCH net-next v1 1/5] rtnetlink: add rtnl_get_net_ns_capable() Date: Mon, 3 Sep 2018 06:37:13 +0200 Message-Id: <20180903043717.20136-2-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180903043717.20136-1-christian@brauner.io> References: <20180903043717.20136-1-christian@brauner.io> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org get_target_net() will be used in follow-up patches in ipv{4,6} codepaths to retrieve network namespaces based on network namespace identifiers. So remove the static declaration and export in the rtnetlink header. Also, rename it to rtnl_get_net_ns_capable() to make it obvious what this function is doing. Signed-off-by: Christian Brauner --- v0->v1: - export rtnl_get_net_ns_capable(). Kbuild reported a build failure when ipv6 is built as a module. This was caused by rtnl_get_net_ns_capable() not being exported. Fix this by exporting it. --- include/net/rtnetlink.h | 1 + net/core/rtnetlink.c | 17 +++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h index 0bbaa5488423..cf26e5aacac4 100644 --- a/include/net/rtnetlink.h +++ b/include/net/rtnetlink.h @@ -165,6 +165,7 @@ int rtnl_configure_link(struct net_device *dev, const struct ifinfomsg *ifm); int rtnl_nla_parse_ifla(struct nlattr **tb, const struct nlattr *head, int len, struct netlink_ext_ack *exterr); +struct net *rtnl_get_net_ns_capable(struct sock *sk, int netnsid); #define MODULE_ALIAS_RTNL_LINK(kind) MODULE_ALIAS("rtnl-link-" kind) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 24431e578310..30645d9a9801 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1841,7 +1841,15 @@ static bool link_dump_filtered(struct net_device *dev, return false; } -static struct net *get_target_net(struct sock *sk, int netnsid) +/** + * rtnl_get_net_ns_capable - Get netns if sufficiently privileged. + * @sk: netlink socket + * @netnsid: network namespace identifier + * + * Returns the network namespace identified by netnsid on success or an error + * pointer on failure. + */ +struct net *rtnl_get_net_ns_capable(struct sock *sk, int netnsid) { struct net *net; @@ -1858,6 +1866,7 @@ static struct net *get_target_net(struct sock *sk, int netnsid) } return net; } +EXPORT_SYMBOL_GPL(rtnl_get_net_ns_capable); static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) { @@ -1893,7 +1902,7 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) ifla_policy, NULL) >= 0) { if (tb[IFLA_IF_NETNSID]) { netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]); - tgt_net = get_target_net(skb->sk, netnsid); + tgt_net = rtnl_get_net_ns_capable(skb->sk, netnsid); if (IS_ERR(tgt_net)) { tgt_net = net; netnsid = -1; @@ -2761,7 +2770,7 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, if (tb[IFLA_IF_NETNSID]) { netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]); - tgt_net = get_target_net(NETLINK_CB(skb).sk, netnsid); + tgt_net = rtnl_get_net_ns_capable(NETLINK_CB(skb).sk, netnsid); if (IS_ERR(tgt_net)) return PTR_ERR(tgt_net); } @@ -3171,7 +3180,7 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh, if (tb[IFLA_IF_NETNSID]) { netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]); - tgt_net = get_target_net(NETLINK_CB(skb).sk, netnsid); + tgt_net = rtnl_get_net_ns_capable(NETLINK_CB(skb).sk, netnsid); if (IS_ERR(tgt_net)) return PTR_ERR(tgt_net); } From patchwork Mon Sep 3 04:37:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 965204 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=brauner.io Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 423cgf3jwgz9s2P for ; Mon, 3 Sep 2018 14:39:26 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727061AbeICI5o (ORCPT ); Mon, 3 Sep 2018 04:57:44 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:46871 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725892AbeICI5n (ORCPT ); Mon, 3 Sep 2018 04:57:43 -0400 Received: by mail-wr1-f67.google.com with SMTP id a108-v6so16324221wrc.13; Sun, 02 Sep 2018 21:39:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=MAXfVGzsIqmA+wyo0wYzYx18bQFQuNziqTws7Do2Ntk=; b=BYg+OB5tBUl4UqWgvE/1Z8Wgj6h7AFfnsuzDCKCil8bciAAmaeOtkrwmzIOcYrab33 l+TrVM2r60C4N16bJUt5jipnQuFvJ37iyqw787r+nzsbevm5Hzj9NAzNVLjwPHU5TmrF KxXcHEnZcBSJFj7gXxYINX5I2NZQZdE3DN3zFOHo4NgZ9e0W/2WJAl61joM0OaJtzN/x ZYrwlIeKc4UTKTsvYFfdWkgPNjW8mGRZE7xTK1zWZdK/kLlYdU9XzJLuKzU0BDTF1vBv Y5KYRU9iNYzqNcV9b05OhHkl5TrzqcuK1VMSazuqHX0W0+CkZFTiyGNze6L65JYVau1q Ujbw== X-Gm-Message-State: APzg51DL3qbsyu1h9vvHio9JFpIL4eKKV+FaVlcOOM184SmjcO4JkfeO St000UHhNKfiBFSKd/XlX7srRqf+aCY6hw== X-Google-Smtp-Source: ANB0VdZJXPpmMtPf9d4MGvSjlkXQjLtOOZod+4HqriZXjvqD751o1Obkv+xd7OhmmQNiXFVWTBT5XQ== X-Received: by 2002:adf:9404:: with SMTP id 4-v6mr18765323wrq.129.1535949558463; Sun, 02 Sep 2018 21:39:18 -0700 (PDT) Received: from localhost.localdomain ([88.128.81.0]) by smtp.gmail.com with ESMTPSA id j66-v6sm22453364wrj.28.2018.09.02.21.39.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 02 Sep 2018 21:39:17 -0700 (PDT) From: Christian Brauner To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, pombredanne@nexb.com, kstewart@linuxfoundation.org, gregkh@linuxfoundation.org, dsahern@gmail.com, fw@strlen.de, ktkhai@virtuozzo.com, lucien.xin@gmail.com, jakub.kicinski@netronome.com, jbenc@redhat.com, nicolas.dichtel@6wind.com, Christian Brauner Subject: [PATCH net-next v1 2/5] if_addr: add IFA_IF_NETNSID Date: Mon, 3 Sep 2018 06:37:14 +0200 Message-Id: <20180903043717.20136-3-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180903043717.20136-1-christian@brauner.io> References: <20180903043717.20136-1-christian@brauner.io> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This adds a new IFA_IF_NETNSID property to be used by address families such as PF_INET and PF_INET6. The IFA_IF_NETNSID property can be used to send a network namespace identifier as part of a request. If a IFA_IF_NETNSID property is identified it will be used to retrieve the target network namespace in which the request is to be made. Signed-off-by: Christian Brauner Cc: Jiri Benc Cc: Nicolas Dichtel --- v0->v1: - unchanged Note, I did not change the property name to IFA_TARGET_NSID as there was no clear agreement what would be preferred. My personal preference is to keep the IFA_IF_NETNSID name because it aligns naturally with the IFLA_IF_NETNSID property for RTM_*LINK requests. Jiri seems to prefer this name too. However, if there is agreement that another property name makes more sense I'm happy to send a v2 that changes this. --- include/uapi/linux/if_addr.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/uapi/linux/if_addr.h b/include/uapi/linux/if_addr.h index ebaf5701c9db..0e0cd588cac0 100644 --- a/include/uapi/linux/if_addr.h +++ b/include/uapi/linux/if_addr.h @@ -34,6 +34,7 @@ enum { IFA_MULTICAST, IFA_FLAGS, IFA_RT_PRIORITY, /* u32, priority/metric for prefix route */ + IFA_IF_NETNSID, __IFA_MAX, }; From patchwork Mon Sep 3 04:37:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 965205 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=brauner.io Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 423ch371sjz9s0n for ; Mon, 3 Sep 2018 14:39:47 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727155AbeICI6F (ORCPT ); Mon, 3 Sep 2018 04:58:05 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:38444 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725892AbeICI6F (ORCPT ); Mon, 3 Sep 2018 04:58:05 -0400 Received: by mail-wm0-f65.google.com with SMTP id t25-v6so10282309wmi.3; Sun, 02 Sep 2018 21:39:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dJXWSCd4fmiiHfYP6yfe9UO53WTG2hatFTZtZm98iw4=; b=JYgYz9H8YGO/+A5h+B1z0GBsJZzDkutV0koBKhGKgFxBZYNjkyqUP+ybwUTgPKwIlU bfO+GokEw0B21GZUjLJiecy8YLAnGfXni3EQ6Sgm5ijjfpeSvGsNtXAwg0m0WOcHZ51+ 5qUYSjy+VnR56KJj1EkgSZ1fudipzVsbz7is2mfLPkBM88JTUqm814q8cph+kQZ0mWh8 dvBXMk3N2gNpn5LYCH8SbvK7vPe6IQwRwgd4HjRKoDerqcIPOjbN6IJnwqMytHqn4W4E 22pTj0rdvWYKjiLi5hS3tjMVXVou4dlM0uyXjXw27DOOgR1q0XMBU7fYgsG0qK47TpJ5 LuEA== X-Gm-Message-State: APzg51CPIDowG2NvuRgxBhEJepBzd5IFl669CGEzGQmrFWLjCtqOyOJr C7H+khzAt0unhozlflLWSFYbOm8o1uOtJw== X-Google-Smtp-Source: ANB0VdYNJ/3Z82wC/jOWXSwK1hcLmyv+sh3KINjSKq1onAbDLIIPlm32WnADi9BKfVz+8ybBYLVDuA== X-Received: by 2002:a1c:8f0e:: with SMTP id r14-v6mr4195213wmd.79.1535949578628; Sun, 02 Sep 2018 21:39:38 -0700 (PDT) Received: from localhost.localdomain ([88.128.81.0]) by smtp.gmail.com with ESMTPSA id j66-v6sm22453364wrj.28.2018.09.02.21.39.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 02 Sep 2018 21:39:38 -0700 (PDT) From: Christian Brauner To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, pombredanne@nexb.com, kstewart@linuxfoundation.org, gregkh@linuxfoundation.org, dsahern@gmail.com, fw@strlen.de, ktkhai@virtuozzo.com, lucien.xin@gmail.com, jakub.kicinski@netronome.com, jbenc@redhat.com, nicolas.dichtel@6wind.com, Christian Brauner Subject: [PATCH net-next v1 3/5] ipv4: enable IFA_IF_NETNSID for RTM_GETADDR Date: Mon, 3 Sep 2018 06:37:15 +0200 Message-Id: <20180903043717.20136-4-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180903043717.20136-1-christian@brauner.io> References: <20180903043717.20136-1-christian@brauner.io> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org - Backwards Compatibility: If userspace wants to determine whether ipv4 RTM_GETADDR requests support the new IFA_IF_NETNSID property they should verify that the reply after sending a request includes the IFA_IF_NETNSID property. If it does not userspace should assume that IFA_IF_NETNSID is not supported for ipv4 RTM_GETADDR requests on this kernel. - From what I gather from current userspace tools that make use of RTM_GETADDR requests some of them pass down struct ifinfomsg when they should actually pass down struct ifaddrmsg. To not break existing tools that pass down the wrong struct we will do the same as for RTM_GETLINK | NLM_F_DUMP requests and not error out when the nlmsg_parse() fails. - Security: Callers must have CAP_NET_ADMIN in the owning user namespace of the target network namespace. Signed-off-by: Christian Brauner --- v0->v1: - unchanged --- net/ipv4/devinet.c | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index ea4bd8a52422..c52271309a1f 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -100,6 +100,7 @@ static const struct nla_policy ifa_ipv4_policy[IFA_MAX+1] = { [IFA_CACHEINFO] = { .len = sizeof(struct ifa_cacheinfo) }, [IFA_FLAGS] = { .type = NLA_U32 }, [IFA_RT_PRIORITY] = { .type = NLA_U32 }, + [IFA_IF_NETNSID] = { .type = NLA_S32 }, }; #define IN4_ADDR_HSIZE_SHIFT 8 @@ -1584,7 +1585,8 @@ static int put_cacheinfo(struct sk_buff *skb, unsigned long cstamp, } static int inet_fill_ifaddr(struct sk_buff *skb, struct in_ifaddr *ifa, - u32 portid, u32 seq, int event, unsigned int flags) + u32 portid, u32 seq, int event, unsigned int flags, + int netnsid) { struct ifaddrmsg *ifm; struct nlmsghdr *nlh; @@ -1601,6 +1603,9 @@ static int inet_fill_ifaddr(struct sk_buff *skb, struct in_ifaddr *ifa, ifm->ifa_scope = ifa->ifa_scope; ifm->ifa_index = ifa->ifa_dev->dev->ifindex; + if (netnsid >= 0 && nla_put_s32(skb, IFA_IF_NETNSID, netnsid)) + goto nla_put_failure; + if (!(ifm->ifa_flags & IFA_F_PERMANENT)) { preferred = ifa->ifa_preferred_lft; valid = ifa->ifa_valid_lft; @@ -1648,6 +1653,9 @@ static int inet_fill_ifaddr(struct sk_buff *skb, struct in_ifaddr *ifa, static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) { struct net *net = sock_net(skb->sk); + struct nlattr *tb[IFA_MAX+1]; + struct net *tgt_net = net; + int netnsid = -1; int h, s_h; int idx, s_idx; int ip_idx, s_ip_idx; @@ -1660,12 +1668,23 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) s_idx = idx = cb->args[1]; s_ip_idx = ip_idx = cb->args[2]; + if (nlmsg_parse(cb->nlh, sizeof(struct ifaddrmsg), tb, IFA_MAX, + ifa_ipv4_policy, NULL) >= 0) { + if (tb[IFA_IF_NETNSID]) { + netnsid = nla_get_s32(tb[IFA_IF_NETNSID]); + + tgt_net = rtnl_get_net_ns_capable(skb->sk, netnsid); + if (IS_ERR(tgt_net)) + return PTR_ERR(tgt_net); + } + } + for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; - head = &net->dev_index_head[h]; + head = &tgt_net->dev_index_head[h]; rcu_read_lock(); - cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^ - net->dev_base_seq; + cb->seq = atomic_read(&tgt_net->ipv4.dev_addr_genid) ^ + tgt_net->dev_base_seq; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) goto cont; @@ -1680,9 +1699,10 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) if (ip_idx < s_ip_idx) continue; if (inet_fill_ifaddr(skb, ifa, - NETLINK_CB(cb->skb).portid, - cb->nlh->nlmsg_seq, - RTM_NEWADDR, NLM_F_MULTI) < 0) { + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + RTM_NEWADDR, NLM_F_MULTI, + netnsid) < 0) { rcu_read_unlock(); goto done; } @@ -1698,6 +1718,8 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) cb->args[0] = h; cb->args[1] = idx; cb->args[2] = ip_idx; + if (netnsid >= 0) + put_net(tgt_net); return skb->len; } @@ -1715,7 +1737,7 @@ static void rtmsg_ifa(int event, struct in_ifaddr *ifa, struct nlmsghdr *nlh, if (!skb) goto errout; - err = inet_fill_ifaddr(skb, ifa, portid, seq, event, 0); + err = inet_fill_ifaddr(skb, ifa, portid, seq, event, 0, -1); if (err < 0) { /* -EMSGSIZE implies BUG in inet_nlmsg_size() */ WARN_ON(err == -EMSGSIZE); From patchwork Mon Sep 3 04:37:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 965206 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=brauner.io Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 423chS1xCcz9s3Z for ; Mon, 3 Sep 2018 14:40:08 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727216AbeICI60 (ORCPT ); Mon, 3 Sep 2018 04:58:26 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:37569 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725892AbeICI6Z (ORCPT ); Mon, 3 Sep 2018 04:58:25 -0400 Received: by mail-wm0-f66.google.com with SMTP id n11-v6so10271303wmc.2; Sun, 02 Sep 2018 21:40:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dx2iCJFRRNJtzuTKhjb6tFjNM9NxC55sSey/TrC6dE0=; b=gg+dIP9ozt5v0e0xeNYQRfKMC/V2OiifrtySE4N7q2UKN5sx4wAGYOkzzUSNfgSzyf Trc85DHB8MZLTAVO59yj+DCjoGWsOEOI1GG1zenD1jASM12UCnbvT4VZwKO3C8WeOJji WlfpE2klrdOQG+g+WaWGEUrAw38v0rU8TxUa2mvUI9gTqSGJwK3h/ykPaQzu5rAm1TTz LmgMrExPPVMbd71yOWkfdx/ClqmVJPIYkksM1XrlYRszg0OraoVZm+YoWg0O/1FJEFb+ lkgiWVLSLMHQIyCs23c+zUqhlh2k/1KDFB2Dha9HAwanQ04Dr9pKHcFpXE/IiiSr6vUQ X19g== X-Gm-Message-State: APzg51BapB+6Tno7PSl8NDW+Pdp+WXrfEPfNK+nKJ0x7/bOpfLuPdBCz FiTEAm4ViAREAuojjzRNM6b6QAfow3skRw== X-Google-Smtp-Source: ANB0Vda6gIg6E5qetheroPHM/vdwmz/nPz3CrnYExqRcX7RBSrleYLOUSy7PFAdx90Mh01+sKOcsPg== X-Received: by 2002:a1c:1a48:: with SMTP id a69-v6mr3873028wma.43.1535949599646; Sun, 02 Sep 2018 21:39:59 -0700 (PDT) Received: from localhost.localdomain ([88.128.81.0]) by smtp.gmail.com with ESMTPSA id j66-v6sm22453364wrj.28.2018.09.02.21.39.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 02 Sep 2018 21:39:59 -0700 (PDT) From: Christian Brauner To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, pombredanne@nexb.com, kstewart@linuxfoundation.org, gregkh@linuxfoundation.org, dsahern@gmail.com, fw@strlen.de, ktkhai@virtuozzo.com, lucien.xin@gmail.com, jakub.kicinski@netronome.com, jbenc@redhat.com, nicolas.dichtel@6wind.com, Christian Brauner Subject: [PATCH net-next v1 4/5] ipv6: enable IFA_IF_NETNSID for RTM_GETADDR Date: Mon, 3 Sep 2018 06:37:16 +0200 Message-Id: <20180903043717.20136-5-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180903043717.20136-1-christian@brauner.io> References: <20180903043717.20136-1-christian@brauner.io> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org - Backwards Compatibility: If userspace wants to determine whether ipv6 RTM_GETADDR requests support the new IFA_IF_NETNSID property they should verify that the reply after sending a request includes the IFA_IF_NETNSID property. If it does not userspace should assume that IFA_IF_NETNSID is not supported for ipv6 RTM_GETADDR requests on this kernel. - From what I gather from current userspace tools that make use of RTM_GETADDR requests some of them pass down struct ifinfomsg when they should actually pass down struct ifaddrmsg. To not break existing tools that pass down the wrong struct we will do the same as for RTM_GETLINK | NLM_F_DUMP requests and not error out when the nlmsg_parse() fails. - Security: Callers must have CAP_NET_ADMIN in the owning user namespace of the target network namespace. Signed-off-by: Christian Brauner --- v0->v1: - unchanged --- net/ipv6/addrconf.c | 70 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 55 insertions(+), 15 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index d51a8c0b3372..00f1af374150 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -4491,6 +4491,7 @@ static const struct nla_policy ifa_ipv6_policy[IFA_MAX+1] = { [IFA_CACHEINFO] = { .len = sizeof(struct ifa_cacheinfo) }, [IFA_FLAGS] = { .len = sizeof(u32) }, [IFA_RT_PRIORITY] = { .len = sizeof(u32) }, + [IFA_IF_NETNSID] = { .type = NLA_S32 }, }; static int @@ -4794,7 +4795,8 @@ static inline int inet6_ifaddr_msgsize(void) } static int inet6_fill_ifaddr(struct sk_buff *skb, struct inet6_ifaddr *ifa, - u32 portid, u32 seq, int event, unsigned int flags) + u32 portid, u32 seq, int event, unsigned int flags, + int netnsid) { struct nlmsghdr *nlh; u32 preferred, valid; @@ -4806,6 +4808,9 @@ static int inet6_fill_ifaddr(struct sk_buff *skb, struct inet6_ifaddr *ifa, put_ifaddrmsg(nlh, ifa->prefix_len, ifa->flags, rt_scope(ifa->scope), ifa->idev->dev->ifindex); + if (netnsid >= 0 && nla_put_s32(skb, IFA_IF_NETNSID, netnsid)) + goto error; + if (!((ifa->flags&IFA_F_PERMANENT) && (ifa->prefered_lft == INFINITY_LIFE_TIME))) { preferred = ifa->prefered_lft; @@ -4855,7 +4860,8 @@ static int inet6_fill_ifaddr(struct sk_buff *skb, struct inet6_ifaddr *ifa, } static int inet6_fill_ifmcaddr(struct sk_buff *skb, struct ifmcaddr6 *ifmca, - u32 portid, u32 seq, int event, u16 flags) + u32 portid, u32 seq, int event, u16 flags, + int netnsid) { struct nlmsghdr *nlh; u8 scope = RT_SCOPE_UNIVERSE; @@ -4868,6 +4874,9 @@ static int inet6_fill_ifmcaddr(struct sk_buff *skb, struct ifmcaddr6 *ifmca, if (!nlh) return -EMSGSIZE; + if (netnsid >= 0 && nla_put_s32(skb, IFA_IF_NETNSID, netnsid)) + return -EMSGSIZE; + put_ifaddrmsg(nlh, 128, IFA_F_PERMANENT, scope, ifindex); if (nla_put_in6_addr(skb, IFA_MULTICAST, &ifmca->mca_addr) < 0 || put_cacheinfo(skb, ifmca->mca_cstamp, ifmca->mca_tstamp, @@ -4881,7 +4890,8 @@ static int inet6_fill_ifmcaddr(struct sk_buff *skb, struct ifmcaddr6 *ifmca, } static int inet6_fill_ifacaddr(struct sk_buff *skb, struct ifacaddr6 *ifaca, - u32 portid, u32 seq, int event, unsigned int flags) + u32 portid, u32 seq, int event, + unsigned int flags, int netnsid) { struct net_device *dev = fib6_info_nh_dev(ifaca->aca_rt); int ifindex = dev ? dev->ifindex : 1; @@ -4895,6 +4905,9 @@ static int inet6_fill_ifacaddr(struct sk_buff *skb, struct ifacaddr6 *ifaca, if (!nlh) return -EMSGSIZE; + if (netnsid >= 0 && nla_put_s32(skb, IFA_IF_NETNSID, netnsid)) + return -EMSGSIZE; + put_ifaddrmsg(nlh, 128, IFA_F_PERMANENT, scope, ifindex); if (nla_put_in6_addr(skb, IFA_ANYCAST, &ifaca->aca_addr) < 0 || put_cacheinfo(skb, ifaca->aca_cstamp, ifaca->aca_tstamp, @@ -4916,7 +4929,7 @@ enum addr_type_t { /* called with rcu_read_lock() */ static int in6_dump_addrs(struct inet6_dev *idev, struct sk_buff *skb, struct netlink_callback *cb, enum addr_type_t type, - int s_ip_idx, int *p_ip_idx) + int s_ip_idx, int *p_ip_idx, int netnsid) { struct ifmcaddr6 *ifmca; struct ifacaddr6 *ifaca; @@ -4936,7 +4949,7 @@ static int in6_dump_addrs(struct inet6_dev *idev, struct sk_buff *skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, RTM_NEWADDR, - NLM_F_MULTI); + NLM_F_MULTI, netnsid); if (err < 0) break; nl_dump_check_consistent(cb, nlmsg_hdr(skb)); @@ -4953,7 +4966,7 @@ static int in6_dump_addrs(struct inet6_dev *idev, struct sk_buff *skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, RTM_GETMULTICAST, - NLM_F_MULTI); + NLM_F_MULTI, netnsid); if (err < 0) break; } @@ -4968,7 +4981,7 @@ static int in6_dump_addrs(struct inet6_dev *idev, struct sk_buff *skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, RTM_GETANYCAST, - NLM_F_MULTI); + NLM_F_MULTI, netnsid); if (err < 0) break; } @@ -4985,6 +4998,9 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, enum addr_type_t type) { struct net *net = sock_net(skb->sk); + struct nlattr *tb[IFA_MAX+1]; + struct net *tgt_net = net; + int netnsid = -1; int h, s_h; int idx, ip_idx; int s_idx, s_ip_idx; @@ -4996,11 +5012,22 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, s_idx = idx = cb->args[1]; s_ip_idx = ip_idx = cb->args[2]; + if (nlmsg_parse(cb->nlh, sizeof(struct ifaddrmsg), tb, IFA_MAX, + ifa_ipv6_policy, NULL) >= 0) { + if (tb[IFA_IF_NETNSID]) { + netnsid = nla_get_s32(tb[IFA_IF_NETNSID]); + + tgt_net = rtnl_get_net_ns_capable(skb->sk, netnsid); + if (IS_ERR(tgt_net)) + return PTR_ERR(tgt_net); + } + } + rcu_read_lock(); - cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^ net->dev_base_seq; + cb->seq = atomic_read(&tgt_net->ipv6.dev_addr_genid) ^ tgt_net->dev_base_seq; for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; - head = &net->dev_index_head[h]; + head = &tgt_net->dev_index_head[h]; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) goto cont; @@ -5012,7 +5039,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, goto cont; if (in6_dump_addrs(idev, skb, cb, type, - s_ip_idx, &ip_idx) < 0) + s_ip_idx, &ip_idx, netnsid) < 0) goto done; cont: idx++; @@ -5023,6 +5050,8 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb, cb->args[0] = h; cb->args[1] = idx; cb->args[2] = ip_idx; + if (netnsid >= 0) + put_net(tgt_net); return skb->len; } @@ -5053,12 +5082,14 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh, struct netlink_ext_ack *extack) { struct net *net = sock_net(in_skb->sk); + struct net *tgt_net = net; struct ifaddrmsg *ifm; struct nlattr *tb[IFA_MAX+1]; struct in6_addr *addr = NULL, *peer; struct net_device *dev = NULL; struct inet6_ifaddr *ifa; struct sk_buff *skb; + int netnsid = -1; int err; err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv6_policy, @@ -5066,15 +5097,24 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh, if (err < 0) return err; + if (tb[IFA_IF_NETNSID]) { + netnsid = nla_get_s32(tb[IFA_IF_NETNSID]); + + tgt_net = rtnl_get_net_ns_capable(NETLINK_CB(in_skb).sk, + netnsid); + if (IS_ERR(tgt_net)) + return PTR_ERR(tgt_net); + } + addr = extract_addr(tb[IFA_ADDRESS], tb[IFA_LOCAL], &peer); if (!addr) return -EINVAL; ifm = nlmsg_data(nlh); if (ifm->ifa_index) - dev = dev_get_by_index(net, ifm->ifa_index); + dev = dev_get_by_index(tgt_net, ifm->ifa_index); - ifa = ipv6_get_ifaddr(net, addr, dev, 1); + ifa = ipv6_get_ifaddr(tgt_net, addr, dev, 1); if (!ifa) { err = -EADDRNOTAVAIL; goto errout; @@ -5087,14 +5127,14 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh, } err = inet6_fill_ifaddr(skb, ifa, NETLINK_CB(in_skb).portid, - nlh->nlmsg_seq, RTM_NEWADDR, 0); + nlh->nlmsg_seq, RTM_NEWADDR, 0, netnsid); if (err < 0) { /* -EMSGSIZE implies BUG in inet6_ifaddr_msgsize() */ WARN_ON(err == -EMSGSIZE); kfree_skb(skb); goto errout_ifa; } - err = rtnl_unicast(skb, net, NETLINK_CB(in_skb).portid); + err = rtnl_unicast(skb, tgt_net, NETLINK_CB(in_skb).portid); errout_ifa: in6_ifa_put(ifa); errout: @@ -5113,7 +5153,7 @@ static void inet6_ifa_notify(int event, struct inet6_ifaddr *ifa) if (!skb) goto errout; - err = inet6_fill_ifaddr(skb, ifa, 0, 0, event, 0); + err = inet6_fill_ifaddr(skb, ifa, 0, 0, event, 0, -1); if (err < 0) { /* -EMSGSIZE implies BUG in inet6_ifaddr_msgsize() */ WARN_ON(err == -EMSGSIZE); From patchwork Mon Sep 3 04:37:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Brauner X-Patchwork-Id: 965209 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=brauner.io Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 423chq3n4zz9s3Z for ; Mon, 3 Sep 2018 14:40:27 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726203AbeICI6o (ORCPT ); Mon, 3 Sep 2018 04:58:44 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:53822 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725892AbeICI6o (ORCPT ); Mon, 3 Sep 2018 04:58:44 -0400 Received: by mail-wm0-f68.google.com with SMTP id b19-v6so10103723wme.3; Sun, 02 Sep 2018 21:40:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=0Ttasv9wAA50TWH1RmglYBXDp2m1htM+fUMfHro5KZg=; b=sbB2COJyBJg8BtdrFr3O1uz3867NMXApilNuhN2LkcqKkLun9/kQRXkzkNklxcZrnv tN/2MP8f/jbl6RDWMhtw3FeE0ppujI5iI9UEqTiYbcGdCpYA8ZsniT+rPrQK8ka7jTxl kEWXTWDAaZCJ/xH8Hn7RQO4skHd8abD2etvmbp/xfH1aW1sZFqJRQeP1/ZeujtTNTr5a zUAlXgl5IPs8kVgsqntdvbZt1+hELd5N9VL9rU2WodChmfxsMmibG9IX2UTKIvp3K/vT wzaaHitzJWOShEHsNCLkRjbP4cDB54khIRdZQDcYG8N40EyG7ThC51HXw0XdiajJHlGC kQiA== X-Gm-Message-State: APzg51AzJtPwcuz42ysBLr0nfAY3D0wupfLek/3XH1LIm6ubpI3arDGL tvOzRl0F49JKA0oeg976NbH4PvfRuy2+lw== X-Google-Smtp-Source: ANB0VdZawAX0s1mdbLGugqOsIrHxb88cKb9qNHcYNMRm/8qt/xBm5htH3xrs5VL6O0hA5R5+yvMDXw== X-Received: by 2002:a1c:ae94:: with SMTP id x142-v6mr4239910wme.125.1535949618361; Sun, 02 Sep 2018 21:40:18 -0700 (PDT) Received: from localhost.localdomain ([88.128.81.0]) by smtp.gmail.com with ESMTPSA id j66-v6sm22453364wrj.28.2018.09.02.21.40.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 02 Sep 2018 21:40:17 -0700 (PDT) From: Christian Brauner To: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, pombredanne@nexb.com, kstewart@linuxfoundation.org, gregkh@linuxfoundation.org, dsahern@gmail.com, fw@strlen.de, ktkhai@virtuozzo.com, lucien.xin@gmail.com, jakub.kicinski@netronome.com, jbenc@redhat.com, nicolas.dichtel@6wind.com, Christian Brauner Subject: [PATCH net-next v1 5/5] rtnetlink: move type calculation out of loop Date: Mon, 3 Sep 2018 06:37:17 +0200 Message-Id: <20180903043717.20136-6-christian@brauner.io> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180903043717.20136-1-christian@brauner.io> References: <20180903043717.20136-1-christian@brauner.io> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org I don't see how the type - which is one of RTM_{GETADDR,GETROUTE,GETNETCONF} - can change. So do the message type calculation once before entering the for loop. Signed-off-by: Christian Brauner --- v0->v1: - unchanged --- net/core/rtnetlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 30645d9a9801..b36dab7507a0 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -3265,13 +3265,13 @@ static int rtnl_dump_all(struct sk_buff *skb, struct netlink_callback *cb) { int idx; int s_idx = cb->family; + int type = cb->nlh->nlmsg_type - RTM_BASE; if (s_idx == 0) s_idx = 1; for (idx = 1; idx <= RTNL_FAMILY_MAX; idx++) { struct rtnl_link **tab; - int type = cb->nlh->nlmsg_type-RTM_BASE; struct rtnl_link *link; rtnl_dumpit_func dumpit;