[Devel] [PATCH 1/2 RH7] netlink: protect NETLINK_REPAIR2
Andrey Zhadchenko
andrey.zhadchenko at virtuozzo.com
Thu Oct 29 12:36:00 MSK 2020
Prevent using netlink repair mode from containers.
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
net/netlink/af_netlink.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 7b3de33..dff6e5f 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1529,6 +1529,11 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
switch (optname) {
case NETLINK_REPAIR2:
+#ifdef CONFIG_VE
+ if (!ve_is_super(get_exec_env()) &&
+ !get_exec_env()->is_pseudosuper)
+ return -ENOPROTOOPT;
+#endif
if (val)
nlk->flags |= NETLINK_F_REPAIR;
else
--
1.8.3.1
More information about the Devel
mailing list