| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Feb 2018 16:20:01 +0300
From: Kirill Tkhai <ktkhai@...tuozzo.com>
To: Christian Brauner <christian.brauner@...ntu.com>,
netdev@...r.kernel.org
Cc: stephen@...workplumber.org, w.bumiller@...xmox.com,
ebiederm@...ssion.com, jbenc@...hat.com, nicolas.dichtel@...nd.com,
linux-kernel@...r.kernel.org, dsahern@...il.com,
davem@...emloft.net
Subject: Re: [PATCH net 1/1 v4] rtnetlink: require unique netns identifier
On 07.02.2018 15:53, Christian Brauner wrote:
> Since we've added support for IFLA_IF_NETNSID for RTM_{DEL,GET,SET,NEW}LINK
> it is possible for userspace to send us requests with three different
> properties to identify a target network namespace. This affects at least
> RTM_{NEW,SET}LINK. Each of them could potentially refer to a different
> network namespace which is confusing. For legacy reasons the kernel will
> pick the IFLA_NET_NS_PID property first and then look for the
> IFLA_NET_NS_FD property but there is no reason to extend this type of
> behavior to network namespace ids. The regression potential is quite
> minimal since the rtnetlink requests in question either won't allow
> IFLA_IF_NETNSID requests before 4.16 is out (RTM_{NEW,SET}LINK) or don't
> support IFLA_NET_NS_{PID,FD} (RTM_{DEL,GET}LINK) in the first place.
>
> Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>
> ---
> ChangeLog v3->v4:
> * Based on discussions with Eric and Jiri: disallow passing multiple network
> namespace identifying properties for all requests, i.e. always enforce
> uniqueness.
> * disable passing IFLA_NET_NS_{FD,PID} for RTM_{DEL,GET}LINK completely since
> they never supported it
> ChangeLog v2->v3:
> * Specifying target network namespaces with pids or fds seems racy since the
> process might die and the pid get recycled or the process does a setns() in
> which case the tests would be invalid. So only check whether multiple
> properties are specified and report a helpful error in this case.
> ChangeLog v1->v2:
> * return errno when the specified network namespace id is invalid
> * fill in struct netlink_ext_ack if the network namespace id is invalid
> * rename rtnl_ensure_unique_netns_attr() to rtnl_ensure_unique_netns() to
> indicate that a request without any network namespace identifying attributes
> is also considered valid.
> ChangeLog v0->v1:
> * report a descriptive error to userspace via struct netlink_ext_ack
> * do not fail when multiple properties specifiy the same network namespace
> ---
> net/core/rtnetlink.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 48 insertions(+)
>
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 56af8e41abfc..bc290413a49d 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -1951,6 +1951,38 @@ static struct net *rtnl_link_get_net_capable(const struct sk_buff *skb,
> return net;
> }
>
> +/* Verify that rtnetlink requests do not pass additional properties
> + * potentially referring to different network namespaces.
> + */
> +static int rtnl_ensure_unique_netns(struct nlattr *tb[],
> + struct netlink_ext_ack *extack,
> + bool netns_id_only)
> +{
> +
> + if (netns_id_only) {
> + if (!tb[IFLA_NET_NS_PID] && !tb[IFLA_NET_NS_FD])
> + return 0;
> +
> + NL_SET_ERR_MSG(extack, "specified netns attribute not supported");
> + return -EOPNOTSUPP;
> + }
> +
> + if (tb[IFLA_IF_NETNSID] && (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]))
> + goto invalid_attr;
> +
> + if (tb[IFLA_NET_NS_PID] && (tb[IFLA_IF_NETNSID] || tb[IFLA_NET_NS_FD]))
> + goto invalid_attr;
> +
> + if (tb[IFLA_NET_NS_FD] && (tb[IFLA_IF_NETNSID] || tb[IFLA_NET_NS_PID]))
> + goto invalid_attr;
Can't we write these 3 above branches more compact? Something like this:
if (!!tb[IFLA_NET_NS_FD] + !!tb[IFLA_IF_NETNSID] + !!tb[IFLA_NET_NS_PID] <= 1)
return 0;
Also, do we really need two different error values and error messages?
Kirill
Powered by blists - more mailing lists