lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1473791620.14269.2.camel@gmail.com>
Date:   Tue, 13 Sep 2016 11:33:40 -0700
From:   Greg <gvrose8192@...il.com>
To:     Cyrill Gorcunov <gorcunov@...il.com>
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        David Miller <davem@...emloft.net>, dsa@...ulusnetworks.com,
        eric.dumazet@...il.com, kuznet@....inr.ac.ru, jmorris@...ei.org,
        yoshfuji@...ux-ipv6.org, kaber@...sh.net, avagin@...nvz.org,
        stephen@...workplumber.org
Subject: Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

On Tue, 2016-09-13 at 20:19 +0300, Cyrill Gorcunov wrote:
> In criu we are actively using diag interface to collect sockets
> present in the system when dumping applications. And while for
> unix, tcp, udp[lite], packet, netlink it works as expected,
> the raw sockets do not have. Thus add it.
> 
> v2:
>  - add missing sock_put calls in raw_diag_dump_one (by eric.dumazet@)
>  - implement @destroy for diag requests (by dsa@)
> 
> v3:
>  - add export of raw_abort for IPv6 (by dsa@)
>  - pass net-admin flag into inet_sk_diag_fill due to
>    changes in net-next branch (by dsa@)
> 
> CC: David S. Miller <davem@...emloft.net>
> CC: Eric Dumazet <eric.dumazet@...il.com>
> CC: David Ahern <dsa@...ulusnetworks.com>
> CC: Alexey Kuznetsov <kuznet@....inr.ac.ru>
> CC: James Morris <jmorris@...ei.org>
> CC: Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>
> CC: Patrick McHardy <kaber@...sh.net>
> CC: Andrey Vagin <avagin@...nvz.org>
> CC: Stephen Hemminger <stephen@...workplumber.org>
> Signed-off-by: Cyrill Gorcunov <gorcunov@...nvz.org>
> ---
> 
>  include/net/raw.h   |    6 +
>  include/net/rawv6.h |    7 +
>  net/ipv4/Kconfig    |    8 +
>  net/ipv4/Makefile   |    1 
>  net/ipv4/raw.c      |   21 ++++
>  net/ipv4/raw_diag.c |  226 ++++++++++++++++++++++++++++++++++++++++++++++++++++
>  net/ipv6/raw.c      |    7 +
>  7 files changed, 272 insertions(+), 4 deletions(-)
> 
> Index: linux-ml.git/include/net/raw.h
> ===================================================================
> --- linux-ml.git.orig/include/net/raw.h
> +++ linux-ml.git/include/net/raw.h
> @@ -23,6 +23,12 @@
>  
>  extern struct proto raw_prot;
>  
> +extern struct raw_hashinfo raw_v4_hashinfo;
> +struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
> +			     unsigned short num, __be32 raddr,
> +			     __be32 laddr, int dif);
> +
> +int raw_abort(struct sock *sk, int err);
>  void raw_icmp_error(struct sk_buff *, int, u32);
>  int raw_local_deliver(struct sk_buff *, int);
>  
> Index: linux-ml.git/include/net/rawv6.h
> ===================================================================
> --- linux-ml.git.orig/include/net/rawv6.h
> +++ linux-ml.git/include/net/rawv6.h
> @@ -3,6 +3,13 @@
>  
>  #include <net/protocol.h>
>  
> +extern struct raw_hashinfo raw_v6_hashinfo;
> +struct sock *__raw_v6_lookup(struct net *net, struct sock *sk,
> +			     unsigned short num, const struct in6_addr *loc_addr,
> +			     const struct in6_addr *rmt_addr, int dif);
> +
> +int raw_abort(struct sock *sk, int err);
> +
>  void raw6_icmp_error(struct sk_buff *, int nexthdr,
>  		u8 type, u8 code, int inner_offset, __be32);
>  bool raw6_local_deliver(struct sk_buff *, int);
> Index: linux-ml.git/net/ipv4/Kconfig
> ===================================================================
> --- linux-ml.git.orig/net/ipv4/Kconfig
> +++ linux-ml.git/net/ipv4/Kconfig
> @@ -430,6 +430,14 @@ config INET_UDP_DIAG
>  	  Support for UDP socket monitoring interface used by the ss tool.
>  	  If unsure, say Y.
>  
> +config INET_RAW_DIAG
> +	tristate "RAW: socket monitoring interface"
> +	depends on INET_DIAG && (IPV6 || IPV6=n)
> +	default n
> +	---help---
> +	  Support for RAW socket monitoring interface used by the ss tool.
> +	  If unsure, say Y.
> +
>  config INET_DIAG_DESTROY
>  	bool "INET: allow privileged process to administratively close sockets"
>  	depends on INET_DIAG
> Index: linux-ml.git/net/ipv4/Makefile
> ===================================================================
> --- linux-ml.git.orig/net/ipv4/Makefile
> +++ linux-ml.git/net/ipv4/Makefile
> @@ -40,6 +40,7 @@ obj-$(CONFIG_NETFILTER)	+= netfilter.o n
>  obj-$(CONFIG_INET_DIAG) += inet_diag.o 
>  obj-$(CONFIG_INET_TCP_DIAG) += tcp_diag.o
>  obj-$(CONFIG_INET_UDP_DIAG) += udp_diag.o
> +obj-$(CONFIG_INET_RAW_DIAG) += raw_diag.o
>  obj-$(CONFIG_NET_TCPPROBE) += tcp_probe.o
>  obj-$(CONFIG_TCP_CONG_BIC) += tcp_bic.o
>  obj-$(CONFIG_TCP_CONG_CDG) += tcp_cdg.o
> Index: linux-ml.git/net/ipv4/raw.c
> ===================================================================
> --- linux-ml.git.orig/net/ipv4/raw.c
> +++ linux-ml.git/net/ipv4/raw.c
> @@ -89,9 +89,10 @@ struct raw_frag_vec {
>  	int hlen;
>  };
>  
> -static struct raw_hashinfo raw_v4_hashinfo = {
> +struct raw_hashinfo raw_v4_hashinfo = {
>  	.lock = __RW_LOCK_UNLOCKED(raw_v4_hashinfo.lock),
>  };
> +EXPORT_SYMBOL_GPL(raw_v4_hashinfo);
>  
>  int raw_hash_sk(struct sock *sk)
>  {
> @@ -120,7 +121,7 @@ void raw_unhash_sk(struct sock *sk)
>  }
>  EXPORT_SYMBOL_GPL(raw_unhash_sk);
>  
> -static struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
> +struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
>  		unsigned short num, __be32 raddr, __be32 laddr, int dif)
>  {
>  	sk_for_each_from(sk) {
> @@ -136,6 +137,7 @@ static struct sock *__raw_v4_lookup(stru
>  found:
>  	return sk;
>  }
> +EXPORT_SYMBOL_GPL(__raw_v4_lookup);
>  
>  /*
>   *	0 - deliver
> @@ -918,6 +920,20 @@ static int compat_raw_ioctl(struct sock
>  }
>  #endif
>  
> +int raw_abort(struct sock *sk, int err)
> +{
> +	lock_sock(sk);
> +
> +	sk->sk_err = err;
> +	sk->sk_error_report(sk);
> +	udp_disconnect(sk, 0);
> +
> +	release_sock(sk);
> +
> +	return 0;
> +}
> +EXPORT_SYMBOL_GPL(raw_abort);
> +
>  struct proto raw_prot = {
>  	.name		   = "RAW",
>  	.owner		   = THIS_MODULE,
> @@ -943,6 +959,7 @@ struct proto raw_prot = {
>  	.compat_getsockopt = compat_raw_getsockopt,
>  	.compat_ioctl	   = compat_raw_ioctl,
>  #endif
> +	.diag_destroy	   = raw_abort,
>  };
>  
>  #ifdef CONFIG_PROC_FS
> Index: linux-ml.git/net/ipv4/raw_diag.c
> ===================================================================
> --- /dev/null
> +++ linux-ml.git/net/ipv4/raw_diag.c
> @@ -0,0 +1,226 @@
> +#include <linux/module.h>
> +
> +#include <linux/inet_diag.h>
> +#include <linux/sock_diag.h>
> +
> +#include <net/raw.h>
> +#include <net/rawv6.h>
> +
> +#ifdef pr_fmt
> +# undef pr_fmt
> +#endif
> +
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +static struct raw_hashinfo *
> +raw_get_hashinfo(const struct inet_diag_req_v2 *r)
> +{
> +	if (r->sdiag_family == AF_INET) {
> +		return &raw_v4_hashinfo;
> +#if IS_ENABLED(CONFIG_IPV6)
> +	} else if (r->sdiag_family == AF_INET6) {
> +		return &raw_v6_hashinfo;
> +#endif

Someday Linux will be a modern OS that just includes IPV6 and forces a
config option to NOT have it.

That'll be great.  All the IS_ENABLED_(CONFIG_IPV6) scattered everywhere
is nuts.

</editorial comment>

- Greg

> +	} else {
> +		pr_warn_once("Unexpected inet family %d\n",
> +			     r->sdiag_family);
> +		WARN_ON_ONCE(1);
> +		return ERR_PTR(-EINVAL);
> +	}
> +}
> +
> +static struct sock *raw_lookup(struct net *net, struct sock *from,
> +			       const struct inet_diag_req_v2 *r)
> +{
> +	struct sock *sk = NULL;
> +
> +	if (r->sdiag_family == AF_INET)
> +		sk = __raw_v4_lookup(net, from, r->sdiag_protocol,
> +				     r->id.idiag_dst[0],
> +				     r->id.idiag_src[0],
> +				     r->id.idiag_if);
> +#if IS_ENABLED(CONFIG_IPV6)
> +	else
> +		sk = __raw_v6_lookup(net, from, r->sdiag_protocol,
> +				     (const struct in6_addr *)r->id.idiag_src,
> +				     (const struct in6_addr *)r->id.idiag_dst,
> +				     r->id.idiag_if);
> +#endif
> +	return sk;
> +}
> +
> +static struct sock *raw_sock_get(struct net *net, const struct inet_diag_req_v2 *r)
> +{
> +	struct raw_hashinfo *hashinfo = raw_get_hashinfo(r);
> +	struct sock *sk = NULL, *s;
> +	int slot;
> +
> +	if (IS_ERR(hashinfo))
> +		return ERR_CAST(hashinfo);
> +
> +	read_lock(&hashinfo->lock);
> +	for (slot = 0; slot < RAW_HTABLE_SIZE; slot++) {
> +		sk_for_each(s, &hashinfo->ht[slot]) {
> +			sk = raw_lookup(net, s, r);
> +			if (sk)
> +				break;
> +		}
> +	}
> +	if (sk && !atomic_inc_not_zero(&sk->sk_refcnt))
> +		sk = NULL;
> +	read_unlock(&hashinfo->lock);
> +
> +	return sk ? sk : ERR_PTR(-ENOENT);
> +}
> +
> +static int raw_diag_dump_one(struct sk_buff *in_skb,
> +			     const struct nlmsghdr *nlh,
> +			     const struct inet_diag_req_v2 *r)
> +{
> +	struct net *net = sock_net(in_skb->sk);
> +	struct sk_buff *rep;
> +	struct sock *sk;
> +	int err;
> +
> +	sk = raw_sock_get(net, r);
> +	if (IS_ERR(sk))
> +		return PTR_ERR(sk);
> +
> +	rep = nlmsg_new(sizeof(struct inet_diag_msg) +
> +			sizeof(struct inet_diag_meminfo) + 64,
> +			GFP_KERNEL);
> +	if (!rep) {
> +		sock_put(sk);
> +		return -ENOMEM;
> +	}
> +
> +	err = inet_sk_diag_fill(sk, NULL, rep, r,
> +				sk_user_ns(NETLINK_CB(in_skb).sk),
> +				NETLINK_CB(in_skb).portid,
> +				nlh->nlmsg_seq, 0, nlh,
> +				netlink_net_capable(in_skb, CAP_NET_ADMIN));
> +	sock_put(sk);
> +
> +	if (err < 0) {
> +		kfree_skb(rep);
> +		return err;
> +	}
> +
> +	err = netlink_unicast(net->diag_nlsk, rep,
> +			      NETLINK_CB(in_skb).portid,
> +			      MSG_DONTWAIT);
> +	if (err > 0)
> +		err = 0;
> +	return err;
> +}
> +
> +static int sk_diag_dump(struct sock *sk, struct sk_buff *skb,
> +			struct netlink_callback *cb,
> +			const struct inet_diag_req_v2 *r,
> +			struct nlattr *bc, bool net_admin)
> +{
> +	if (!inet_diag_bc_sk(bc, sk))
> +		return 0;
> +
> +	return inet_sk_diag_fill(sk, NULL, skb, r,
> +			sk_user_ns(NETLINK_CB(cb->skb).sk),
> +			NETLINK_CB(cb->skb).portid,
> +			cb->nlh->nlmsg_seq, NLM_F_MULTI,
> +			cb->nlh, net_admin);
> +}
> +
> +static void raw_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
> +			  const struct inet_diag_req_v2 *r, struct nlattr *bc)
> +{
> +	bool net_admin = netlink_net_capable(cb->skb, CAP_NET_ADMIN);
> +	struct raw_hashinfo *hashinfo = raw_get_hashinfo(r);
> +	struct net *net = sock_net(skb->sk);
> +	int num, s_num, slot, s_slot;
> +	struct sock *sk = NULL;
> +
> +	if (IS_ERR(hashinfo))
> +		return;
> +
> +	s_slot = cb->args[0];
> +	num = s_num = cb->args[1];
> +
> +	read_lock(&hashinfo->lock);
> +	for (slot = s_slot; slot < RAW_HTABLE_SIZE; s_num = 0, slot++) {
> +		num = 0;
> +
> +		sk_for_each(sk, &hashinfo->ht[slot]) {
> +			struct inet_sock *inet = inet_sk(sk);
> +
> +			if (!net_eq(sock_net(sk), net))
> +				continue;
> +			if (num < s_num)
> +				goto next;
> +			if (sk->sk_family != r->sdiag_family)
> +				goto next;
> +			if (r->id.idiag_sport != inet->inet_sport &&
> +			    r->id.idiag_sport)
> +				goto next;
> +			if (r->id.idiag_dport != inet->inet_dport &&
> +			    r->id.idiag_dport)
> +				goto next;
> +			if (sk_diag_dump(sk, skb, cb, r, bc, net_admin) < 0)
> +				goto out_unlock;
> +next:
> +			num++;
> +		}
> +	}
> +
> +out_unlock:
> +	read_unlock(&hashinfo->lock);
> +
> +	cb->args[0] = slot;
> +	cb->args[1] = num;
> +}
> +
> +static void raw_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
> +			      void *info)
> +{
> +	r->idiag_rqueue = sk_rmem_alloc_get(sk);
> +	r->idiag_wqueue = sk_wmem_alloc_get(sk);
> +}
> +
> +#ifdef CONFIG_INET_DIAG_DESTROY
> +static int raw_diag_destroy(struct sk_buff *in_skb,
> +			    const struct inet_diag_req_v2 *r)
> +{
> +	struct net *net = sock_net(in_skb->sk);
> +	struct sock *sk;
> +
> +	sk = raw_sock_get(net, r);
> +	if (IS_ERR(sk))
> +		return PTR_ERR(sk);
> +	return sock_diag_destroy(sk, ECONNABORTED);
> +}
> +#endif
> +
> +static const struct inet_diag_handler raw_diag_handler = {
> +	.dump			= raw_diag_dump,
> +	.dump_one		= raw_diag_dump_one,
> +	.idiag_get_info		= raw_diag_get_info,
> +	.idiag_type		= IPPROTO_RAW,
> +	.idiag_info_size	= 0,
> +#ifdef CONFIG_INET_DIAG_DESTROY
> +	.destroy		= raw_diag_destroy,
> +#endif
> +};
> +
> +static int __init raw_diag_init(void)
> +{
> +	return inet_diag_register(&raw_diag_handler);
> +}
> +
> +static void __exit raw_diag_exit(void)
> +{
> +	inet_diag_unregister(&raw_diag_handler);
> +}
> +
> +module_init(raw_diag_init);
> +module_exit(raw_diag_exit);
> +MODULE_LICENSE("GPL");
> +MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_NETLINK, NETLINK_SOCK_DIAG, 2-255 /* AF_INET - IPPROTO_RAW */);
> +MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_NETLINK, NETLINK_SOCK_DIAG, 10-255 /* AF_INET6 - IPPROTO_RAW */);
> Index: linux-ml.git/net/ipv6/raw.c
> ===================================================================
> --- linux-ml.git.orig/net/ipv6/raw.c
> +++ linux-ml.git/net/ipv6/raw.c
> @@ -65,11 +65,12 @@
>  
>  #define	ICMPV6_HDRLEN	4	/* ICMPv6 header, RFC 4443 Section 2.1 */
>  
> -static struct raw_hashinfo raw_v6_hashinfo = {
> +struct raw_hashinfo raw_v6_hashinfo = {
>  	.lock = __RW_LOCK_UNLOCKED(raw_v6_hashinfo.lock),
>  };
> +EXPORT_SYMBOL_GPL(raw_v6_hashinfo);
>  
> -static struct sock *__raw_v6_lookup(struct net *net, struct sock *sk,
> +struct sock *__raw_v6_lookup(struct net *net, struct sock *sk,
>  		unsigned short num, const struct in6_addr *loc_addr,
>  		const struct in6_addr *rmt_addr, int dif)
>  {
> @@ -102,6 +103,7 @@ static struct sock *__raw_v6_lookup(stru
>  found:
>  	return sk;
>  }
> +EXPORT_SYMBOL_GPL(__raw_v6_lookup);
>  
>  /*
>   *	0 - deliver
> @@ -1252,6 +1254,7 @@ struct proto rawv6_prot = {
>  	.compat_getsockopt = compat_rawv6_getsockopt,
>  	.compat_ioctl	   = compat_rawv6_ioctl,
>  #endif
> +	.diag_destroy	   = raw_abort,
>  };
>  
>  #ifdef CONFIG_PROC_FS


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ