[CRIU] [PATCH 0/3] tun: Check that net ns of tun device is dumped

Fri Mar 2 01:49:50 MSK 2018

On Thu, Mar 01, 2018 at 09:56:11AM -0800, Andrei Vagin wrote:
> On Thu, Mar 01, 2018 at 11:16:25AM +0300, Kirill Tkhai wrote:
> > On 28.02.2018 23:20, Andrei Vagin wrote:
> > > On Mon, Feb 19, 2018 at 03:15:53PM +0300, Kirill Tkhai wrote:
> > >> This patchset makes dump code to check, that net is related
> > >> to one of net namespaces, we already collected. If it's not,
> > >> dump will fail like we do that for plain sockets.
> > > 
> > > But it isn't enought to dump tun devices from a non-root netns, isn't
> > > it?
> > 
> > Yes, but it isn't implemented in criu, and it needs more changes.
> > It's a fix for stable.
> > 
> > We may add one more patch like "tun: Check that net ns of tun device is root net ns",
> > to be safe in criu-dev.
> 
> I would like to have patches like "tun: add supported for multible net
> namespaces." ;)

Something like the attached patch
> 
> > 
> > >>
> > >> This patchset requires patch "tun: Add ioctl() SIOCGSKNS cmd
> > >> to allow obtaining net ns of tun device" from net-next:
> > >>
> > >> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=f2780d6d74756bc1d7ba32ff3dd0de4afd7c7e1e
> > >>
> > >> ---
> > >>
> > >> Kirill Tkhai (3):
> > >>       net: Extrack ioctl() call from kerndat_socket_netns()
> > >>       tun: Check tun has ioctl() cmd SIOCGSKNS
> > >>       tun: Check that net ns of tun device is dumped
> > >>
> > >>
> > >>  criu/include/kerndat.h |    1 +
> > >>  criu/include/net.h     |    1 +
> > >>  criu/include/tun.h     |    1 +
> > >>  criu/kerndat.c         |    3 +++
> > >>  criu/net.c             |   26 +++++++++++++++-----------
> > >>  criu/tun.c             |   23 +++++++++++++++++++++++
> > >>  6 files changed, 44 insertions(+), 11 deletions(-)
> > >>
> > >> --
> > >> Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
> _______________________________________________
> CRIU mailing list
> CRIU at openvz.org
> https://lists.openvz.org/mailman/listinfo/criu
-------------- next part --------------

diff --git a/criu/tun.c b/criu/tun.c
index dfca4b125..a14a59470 100644
--- a/criu/tun.c
+++ b/criu/tun.c
@@ -19,6 +19,7 @@
 #include "net.h"
 #include "namespaces.h"
 #include "xmalloc.h"
+#include "sockets.h"
 
 #include "images/tun.pb-c.h"
 
@@ -271,6 +272,7 @@ static int dump_tunfile(int lfd, u32 id, const struct fd_parms *p)
 	FileEntry fe = FILE_ENTRY__INIT;
 	TunfileEntry tfe = TUNFILE_ENTRY__INIT;
 	struct ifreq ifr;
+	struct ns_id *ns;
 
 	if (!(root_ns_mask & CLONE_NEWNET)) {
 		pr_err("Net namespace is required to dump tun link\n");
@@ -283,6 +285,13 @@ static int dump_tunfile(int lfd, u32 id, const struct fd_parms *p)
 	pr_info("Dumping tun-file %d with id %#x\n", lfd, id);
 
 	tfe.id		= id;
+
+	ns = get_socket_ns(lfd);
+	if (!ns)
+		return -1;
+	tfe.ns_id = ns->id;
+	tfe.has_ns_id = true;
+
 	ret = ioctl(lfd, TUNGETIFF, &ifr);
 	if (ret < 0) {
 		if (errno != EBADFD) {
@@ -337,6 +346,9 @@ static int tunfile_open(struct file_desc *d, int *new_fd)
 	if (fd < 0)
 		return -1;
 
+	if (set_netns(ti->tfe->ns_id))
+		return -1;
+
 	if (!ti->tfe->netdev)
 		/* just-opened tun file */
 		goto ok;;
diff --git a/images/tun.proto b/images/tun.proto
index 796e1f5d9..b70c9ed67 100644
--- a/images/tun.proto
+++ b/images/tun.proto
@@ -6,6 +6,7 @@ message tunfile_entry {
 	required uint32		id		= 1;
 	optional string		netdev		= 2;
 	optional bool		detached	= 3;
+	optional uint32		ns_id		= 4;
 };
 
 message tun_link_entry {
diff --git a/test/zdtm/static/tun.c b/test/zdtm/static/tun.c
index c53b8fa88..9a1467ca9 100644
--- a/test/zdtm/static/tun.c
+++ b/test/zdtm/static/tun.c
@@ -5,6 +5,7 @@
 #include <sys/socket.h>
 #include <linux/if.h>
 #include <linux/if_tun.h>
+#include <sched.h>
 
 #include "zdtmtst.h"
 
@@ -119,6 +120,9 @@ int main(int argc, char **argv)
 
 	test_init(argc, argv);
 
+	unshare(CLONE_NEWNET);
+	system("ip link set up dev lo");
+
 	/* fd[0] -- opened file */
 	fds[0] = __open_tun();
 	if (fds[0] < 0) {
