[Devel] Re: [RFC][patch 3/3] activate filtering for the bind
Serge E. Hallyn
serue at us.ibm.com
Wed Sep 5 09:18:48 PDT 2007
Quoting dlezcano at fr.ibm.com (dlezcano at fr.ibm.com):
> From: Daniel Lezcano <dlezcano at fr.ibm.com>
>
> For the moment, I only made this patch for the RFC. It shows how simple it is
> to hook different socket syscalls. This patch denies bind to any addresses
> which are not in the container IPV4 address list, except for the INADDR_ANY.
>
> Signed-off-by: Daniel Lezcano <dlezcano at fr.ibm.com>
>
> ---
> kernel/container_network.c | 66 +++++++++++++++++++++++----------------------
> 1 file changed, 35 insertions(+), 31 deletions(-)
>
> Index: 2.6-mm/kernel/container_network.c
> ===================================================================
> --- 2.6-mm.orig/kernel/container_network.c
> +++ 2.6-mm/kernel/container_network.c
> @@ -12,6 +12,9 @@
> #include <linux/list.h>
> #include <linux/spinlock.h>
> #include <linux/security.h>
> +#include <linux/in.h>
> +#include <linux/net.h>
> +#include <linux/socket.h>
>
> struct network {
> struct container_subsys_state css;
> @@ -53,24 +56,14 @@
>
> static int network_socket_create(int family, int type, int protocol, int kern)
> {
> - struct network *network;
> -
> - network = task_network(current);
> - if (!network || network == &top_network)
> - return 0;
> -
> + /* nothing to do right now */
> return 0;
> }
>
> static int network_socket_post_create(struct socket *sock, int family,
> int type, int protocol, int kern)
> {
> - struct network *network;
> -
> - network = task_network(current);
> - if (!network || network == &top_network)
> - return 0;
> -
> + /* nothing to do right now */
> return 0;
> }
>
> @@ -79,47 +72,58 @@
Please so send -p diffs. I'll assume this is network_socket_bind()
given your patch description :)
> int addrlen)
> {
> struct network *network;
> + struct list_head *l;
> + rwlock_t *lock;
> + struct ipv4_list *entry;
> + __be32 addr;
> + int ret = -EPERM;
>
> + /* Do nothing for the root container */
> network = task_network(current);
> if (!network || network == &top_network)
> return 0;
>
> - return 0;
> + /* Check we have to do some filtering */
> + if (sock->ops->family != AF_INET)
> + return 0;
> +
> + l = &network->ipv4_list;
> + lock = &network->ipv4_list_lock;
> + addr = ((struct sockaddr_in *)address)->sin_addr.s_addr;
> +
> + if (addr == INADDR_ANY)
In bsdjail, if addr == INADDR_ANY, I set addr = jailaddr. Do you think
you want to do that?
> + return 0;
> +
> + read_lock(lock);
> + list_for_each_entry(entry, l, list) {
> + if (entry->address != addr)
> + continue;
> + ret = 0;
> + break;
> + }
> + read_unlock(lock);
> +
> + return ret;
> }
>
> static int network_socket_connect(struct socket * sock,
> struct sockaddr * address,
> int addrlen)
> {
> - struct network *network;
> -
> - network = task_network(current);
> - if (!network || network == &top_network)
> - return 0;
> -
> + /* nothing to do right now */
> return 0;
> }
>
> static int network_socket_listen(struct socket * sock, int backlog)
> {
> - struct network *network;
> -
> - network = task_network(current);
> - if (!network || network == &top_network)
> - return 0;
> -
> + /* nothing to do right now */
> return 0;
> }
>
> static int network_socket_accept(struct socket *sock,
> struct socket *newsock)
> {
> - struct network *network;
> -
> - network = task_network(current);
> - if (!network || network == &top_network)
> - return 0;
> -
> + /* nothing to do right now */
> return 0;
> }
>
>
> --
> _______________________________________________
> Containers mailing list
> Containers at lists.linux-foundation.org
> https://lists.linux-foundation.org/mailman/listinfo/containers
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list