[Devel] [PATCH 1/2 RH7 v2] netlink: protect NETLINK_REPAIR2

Thu Oct 29 17:55:01 MSK 2020

For both patches in v2:

Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

On 10/29/20 3:22 PM, Andrey Zhadchenko wrote:
> Prevent using netlink repair mode from containers.
> 
> Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
> ---
> 
> v2: added ve_struct *ve to get rid of second get_exec_env call
> 
>   net/netlink/af_netlink.c | 7 +++++++
>   1 file changed, 7 insertions(+)
> 
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index 7b3de33..6c99bca 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -1529,6 +1529,13 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
>   
>   	switch (optname) {
>   	case NETLINK_REPAIR2:
> +#ifdef CONFIG_VE
> +		{
> +			struct ve_struct *ve = get_exec_env();
> +			if (!ve_is_super(ve) && !ve->is_pseudosuper)
> +				return -ENOPROTOOPT;
> +		}
> +#endif
>   		if (val)
>   			nlk->flags |= NETLINK_F_REPAIR;
>   		else
> 

-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.