lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 26 Dec 2018 20:32:39 -0800
From:   xiangxia.m.yue@...il.com
To:     davem@...emloft.net, xiyou.wangcong@...il.com
Cc:     netdev@...r.kernel.org, Tonghao Zhang <xiangxia.m.yue@...il.com>
Subject: [PATCH net-next v2] net: ipv4: allocate ipv4_devconf memory for init_net

From: Tonghao Zhang <xiangxia.m.yue@...il.com>

The devconf setting on the init_net will affect other
namespace when them created. For example:

$ cat /proc/sys/net/ipv4/conf/all/rp_filter
0
$ echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
$ cat /proc/sys/net/ipv4/conf/all/rp_filter
2

$ ip netns add ns100
$ ip netns exec ns100 bash
$ cat /proc/sys/net/ipv4/conf/all/rp_filter
2

The value of rp_filter in the ns100, should be 0 as
default, but it is 2 same as _init_net_.

In some case,  there are many containers, on host, where running the
different type containers and applications. We don't know what network configuration
user will set. The new containers don't inherit our host configuration.

* host _init_net_ may be used as a complex network. (the rp_filter, arp_ignore
  and arp_announce may be used.) but containers use them as default. Host network
  configuration should not affect containers.
* containers and host network configuration are complete isolation.

To fix it and init devconf to default value, we allocate
memory for every namespace(include init_net), this memory
will be used to store themself setting data and we also
allocate memory to register sys_ctl tables.

IPv6 does that in the same way.

Signed-off-by: Tonghao Zhang <xiangxia.m.yue@...il.com>
---
v1->v2: add more commit info.
---
 net/ipv4/devinet.c | 40 ++++++++++++++++------------------------
 1 file changed, 16 insertions(+), 24 deletions(-)

diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 5b9b6d4..2edf0f8 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -2555,33 +2555,28 @@ static __net_init int devinet_init_net(struct net *net)
 	int err;
 	struct ipv4_devconf *all, *dflt;
 #ifdef CONFIG_SYSCTL
-	struct ctl_table *tbl = ctl_forward_entry;
+	struct ctl_table *tbl;
 	struct ctl_table_header *forw_hdr;
 #endif
 
 	err = -ENOMEM;
-	all = &ipv4_devconf;
-	dflt = &ipv4_devconf_dflt;
-
-	if (!net_eq(net, &init_net)) {
-		all = kmemdup(all, sizeof(ipv4_devconf), GFP_KERNEL);
-		if (!all)
-			goto err_alloc_all;
+	all = kmemdup(&ipv4_devconf, sizeof(ipv4_devconf), GFP_KERNEL);
+	if (!all)
+		goto err_alloc_all;
 
-		dflt = kmemdup(dflt, sizeof(ipv4_devconf_dflt), GFP_KERNEL);
-		if (!dflt)
-			goto err_alloc_dflt;
+	dflt = kmemdup(&ipv4_devconf_dflt, sizeof(ipv4_devconf_dflt), GFP_KERNEL);
+	if (!dflt)
+		goto err_alloc_dflt;
 
 #ifdef CONFIG_SYSCTL
-		tbl = kmemdup(tbl, sizeof(ctl_forward_entry), GFP_KERNEL);
-		if (!tbl)
-			goto err_alloc_ctl;
+	tbl = kmemdup(ctl_forward_entry, sizeof(ctl_forward_entry), GFP_KERNEL);
+	if (!tbl)
+		goto err_alloc_ctl;
 
-		tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1];
-		tbl[0].extra1 = all;
-		tbl[0].extra2 = net;
+	tbl[0].data = &all->data[IPV4_DEVCONF_FORWARDING - 1];
+	tbl[0].extra1 = all;
+	tbl[0].extra2 = net;
 #endif
-	}
 
 #ifdef CONFIG_SYSCTL
 	err = __devinet_sysctl_register(net, "all", NETCONFA_IFINDEX_ALL, all);
@@ -2610,15 +2605,12 @@ static __net_init int devinet_init_net(struct net *net)
 err_reg_dflt:
 	__devinet_sysctl_unregister(net, all, NETCONFA_IFINDEX_ALL);
 err_reg_all:
-	if (tbl != ctl_forward_entry)
-		kfree(tbl);
+	kfree(tbl);
 err_alloc_ctl:
 #endif
-	if (dflt != &ipv4_devconf_dflt)
-		kfree(dflt);
+	kfree(dflt);
 err_alloc_dflt:
-	if (all != &ipv4_devconf)
-		kfree(all);
+	kfree(all);
 err_alloc_all:
 	return err;
 }
-- 
1.8.3.1

Powered by blists - more mailing lists