[Devel] [PATCH RH8] ve: Change error code in vz_security_protocol_check to -EPROTONOSUPPORT

Vasily Averin vvs at virtuozzo.com
Tue May 19 02:28:06 MSK 2020 

On 5/18/20 4:53 PM, Valeriy Vdovin wrote:
> 'vz_security_protocol_check' is a part of socket creation routine.
> Socket creation can be split into separate stages:
>  - family validation and family specific object creation
>  - protocol validation and protocol specific object creation
> First family argument is validated. If family is ok, then the code
> can proceeds to further work with protocol agrument.
> 
> As part of family validation procedure for containers
> vz_security_family_check is called. If family is not supported in
> container environment and the current context is container the
> function returns with -EAFNOSUPPORT code.
> 
> As part of protocol validation procedure for containers
> vz_security_protocol_check is called. If protocol is not supported
> in container environment and the current context is container the
> function CURRENTLY returns with -EAFNOSUPPORT code, although by
> context of the current socket preparation step it should instead
> return -EPROTONOSUPPORT.
> 
> https://jira.sw.ru/browse/PSBM-104225
> Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
> ---
>  kernel/ve/ve.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
> index bf9f06d..a94d9cf 100644
> --- a/kernel/ve/ve.c
> +++ b/kernel/ve/ve.c
> @@ -1059,7 +1059,7 @@ int vz_security_protocol_check(struct net *net, int protocol)
>  	case  IPPROTO_SCTP:
>  		return 0;
>  	default:
> -		return -EAFNOSUPPORT;
> +		return -EPROTONOSUPPORT;

I do no like this change:
this check worked well for ages, and is well tested by huge number of tools and application.
and we changes it just to satisfy some new version of _one_ userspace tool, 
which is _not_critical_ for us at all.

Please take look at old related bugs
https://jira.sw.ru/browse/PSBM-37418
https://jira.sw.ru/browse/PSBM-47413

Last one have fixed similar problem by using following hunk, it still present in vz6

@@ -1247,6 +1247,8 @@ int vz_security_protocol_check(int protocol)
 	case  IPPROTO_ESP:
 	case  IPPROTO_AH:
 		break;
+	case  IPPROTO_ICMP:
+		return -EACCES;
 	default:
 		return -EAFNOSUPPORT;
 	}

I think it's better to add similar check for ICMP6 and do not change default error code.

Thank you,
	Vasily Averin

More information about the Devel mailing list