[Devel] [PATCH 1/2 RH7 v2] netlink: protect NETLINK_REPAIR2
Andrey Zhadchenko
andrey.zhadchenko at virtuozzo.com
Thu Oct 29 15:22:19 MSK 2020
Prevent using netlink repair mode from containers.
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
v2: added ve_struct *ve to get rid of second get_exec_env call
net/netlink/af_netlink.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 7b3de33..6c99bca 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1529,6 +1529,13 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
switch (optname) {
case NETLINK_REPAIR2:
+#ifdef CONFIG_VE
+ {
+ struct ve_struct *ve = get_exec_env();
+ if (!ve_is_super(ve) && !ve->is_pseudosuper)
+ return -ENOPROTOOPT;
+ }
+#endif
if (val)
nlk->flags |= NETLINK_F_REPAIR;
else
--
1.8.3.1
More information about the Devel
mailing list