[Devel] [PATCH 4/5] veth: add ability to prevent changing of a mac address from a container

Thu May 28 04:06:59 PDT 2015

Add the SIOCSFIXEDADDR ioctl.

If we want to forbid changing a mac address of a veth devices,
we need to call this ioctl and set ifr_ifru.ifru_flags to 1.

And we need to set ifr_ifru.ifru_flags to 0 to allow changing mac address.

This ioctl is protected by CAP_NET_ADMIN.

Signed-off-by: Andrew Vagin <avagin at openvz.org>
---
 drivers/net/veth.c              |   17 ++++++++++++++++-
 include/linux/netdev_features.h |    2 ++
 include/uapi/linux/veth.h       |    1 +
 3 files changed, 19 insertions(+), 1 deletions(-)

diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 7f98a05..1d85174 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -274,6 +274,14 @@ static void veth_dev_free(struct net_device *dev)
 	free_netdev(dev);
 }
 
+static int veth_mac_addr(struct net_device *dev, void *p)
+{
+	if (dev->features & NETIF_F_VENET &&
+	    dev->features & NETIF_F_FIXED_ADDR)
+		return -EPERM;
+	return eth_mac_addr(dev, p);
+}
+
 static int vzethdev_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 {
 	if (!capable(CAP_NET_ADMIN))
@@ -294,6 +302,13 @@ static int vzethdev_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd
 
 		return 0;
 	}
+	case SIOCSFIXEDADDR:
+		if (ifr->ifr_ifru.ifru_flags)
+			dev->features |= NETIF_F_FIXED_ADDR;
+		else
+			dev->features &= ~NETIF_F_FIXED_ADDR;
+		return 0;
+	}
 	return -ENOTTY;
 }
 
@@ -304,7 +319,7 @@ static const struct net_device_ops veth_netdev_ops = {
 	.ndo_start_xmit      = veth_xmit,
 	.ndo_change_mtu      = veth_change_mtu,
 	.ndo_get_stats64     = veth_get_stats64,
-	.ndo_set_mac_address = eth_mac_addr,
+	.ndo_set_mac_address = veth_mac_addr,
 	.ndo_do_ioctl        = vzethdev_net_ioctl,
 };
 
diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h
index 2d72a7a..5c2e191 100644
--- a/include/linux/netdev_features.h
+++ b/include/linux/netdev_features.h
@@ -64,6 +64,7 @@ enum {
 	NETIF_F_HW_VLAN_STAG_FILTER_BIT,/* Receive filtering on VLAN STAGs */
 	NETIF_F_VENET_BIT,		/* device is venet device */
 	NETIF_F_VIRTUAL_BIT,		/* can be registered inside VE */
+	NETIF_F_FIXED_ADDR_BIT,
 
 	/*
 	 * Add your fresh new feature above and remember to update
@@ -120,6 +121,7 @@ enum {
 #define NETIF_F_HW_VLAN_STAG_TX	__NETIF_F(HW_VLAN_STAG_TX)
 #define NETIF_F_VENET		__NETIF_F(VENET)
 #define NETIF_F_VIRTUAL		__NETIF_F(VIRTUAL)
+#define NETIF_F_FIXED_ADDR	__NETIF_F(FIXED_ADDR)
 
 /* Features valid for ethtool to change */
 /* = all defined minus driver/device-class-related */
diff --git a/include/uapi/linux/veth.h b/include/uapi/linux/veth.h
index 27e7795..b331a38 100644
--- a/include/uapi/linux/veth.h
+++ b/include/uapi/linux/veth.h
@@ -19,5 +19,6 @@ enum {
 };
 
 #define SIOCSVENET	(SIOCDEVPRIVATE + 0xf)
+#define SIOCSFIXEDADDR	(SIOCDEVPRIVATE + 0xe)
 
 #endif
-- 
1.7.1


