[From nobody Tue Oct  6 12:00:01 2015
X-Account-Key: account1
X-Mozilla-Keys: 
Received: from finist_rh6.work.ct ([10.30.4.40])
	by relay.sw.ru (8.13.4/8.13.4) with ESMTP id s77JprYq011883;
	Thu, 7 Aug 2014 23:51:53 +0400 (MSK)
Date: Thu, 7 Aug 2014 23:51:53 +0400
Message-ID: &lt;201408071951.s77JprYq011883@relay.sw.ru&gt;
Content-Type: multipart/mixed; boundary=&quot;===============4258178761526648822==&quot;
MIME-Version: 1.0
Subject: [PATCH COMMIT]
	diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT
From: &lt;khorenko@parallels.com&gt;
To: &lt;ktkhai@parallels.com&gt;
CC: &lt;vzlin-dev@lists.sw.ru&gt;, &lt;xemul@parallels.com&gt;, &lt;khorenko@parallels.com&gt;
In-Reply-To: &lt;20140703140750.12308.11300.stgit@tkhai&gt;
References: &lt;20140703140750.12308.11300.stgit@tkhai&gt;

--===============4258178761526648822==
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

* diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT
Added to 042stab093_2

ve/net/netfilter/ipset: prohibit ipset from the inside CT

Currently a CT owner can configure ipset rules which are not virtualized =&gt;
affect the whole Hardware Node.

We are going to virtualize ipset in PCS7 (3.10-x, PSBM-27793),
let's prohibit ipset configuration from inside a CT in PCS6 (2.6.32-x).

https://jira.sw.ru/browse/PSBM-27792
https://bugzilla.openvz.org/show_bug.cgi?id=2644

Signed-off-by: Kirill Tkhai &lt;ktkhai@parallels.com&gt;

---


--===============4258178761526648822==
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=&quot;diff-ve-netfilter-ipset-prohibit-ipset-from-the-inside-CT&quot;

---
 net/netfilter/ipset/ip_set_core.c |   38 +++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 2fcd993..db49896 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -638,6 +638,9 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
 	u32 flags = flag_exist(nlh);
 	int ret = 0;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr) ||
 		     attr[IPSET_ATTR_SETNAME] == NULL ||
 		     attr[IPSET_ATTR_TYPENAME] == NULL ||
@@ -758,6 +761,9 @@ ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
 	ip_set_id_t i;
 	int ret = 0;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr)))
 		return -IPSET_ERR_PROTOCOL;
 
@@ -822,6 +828,9 @@ ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
 {
 	ip_set_id_t i;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr)))
 		return -IPSET_ERR_PROTOCOL;
 
@@ -861,6 +870,9 @@ ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
 	ip_set_id_t i;
 	int ret = 0;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr) ||
 		     attr[IPSET_ATTR_SETNAME] == NULL ||
 		     attr[IPSET_ATTR_SETNAME2] == NULL))
@@ -909,6 +921,9 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
 	ip_set_id_t from_id, to_id;
 	char from_name[IPSET_MAXNAMELEN];
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr) ||
 		     attr[IPSET_ATTR_SETNAME] == NULL ||
 		     attr[IPSET_ATTR_SETNAME2] == NULL))
@@ -1123,6 +1138,9 @@ ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
 	    const struct nlmsghdr *nlh,
 	    const struct nlattr * const attr[])
 {
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr)))
 		return -IPSET_ERR_PROTOCOL;
 
@@ -1214,6 +1232,9 @@ ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
 	bool use_lineno;
 	int ret = 0;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr) ||
 		     attr[IPSET_ATTR_SETNAME] == NULL ||
 		     !((attr[IPSET_ATTR_DATA] != NULL) ^
@@ -1268,6 +1289,9 @@ ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
 	bool use_lineno;
 	int ret = 0;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr) ||
 		     attr[IPSET_ATTR_SETNAME] == NULL ||
 		     !((attr[IPSET_ATTR_DATA] != NULL) ^
@@ -1319,6 +1343,9 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
 	struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
 	int ret = 0;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr) ||
 		     attr[IPSET_ATTR_SETNAME] == NULL ||
 		     attr[IPSET_ATTR_DATA] == NULL ||
@@ -1356,6 +1383,9 @@ ip_set_header(struct sock *ctnl, struct sk_buff *skb,
 	ip_set_id_t index;
 	int ret = 0;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr) ||
 		     attr[IPSET_ATTR_SETNAME] == NULL))
 		return -IPSET_ERR_PROTOCOL;
@@ -1413,6 +1443,9 @@ ip_set_type(struct sock *ctnl, struct sk_buff *skb,
 	const char *typename;
 	int ret = 0;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(protocol_failed(attr) ||
 		     attr[IPSET_ATTR_TYPENAME] == NULL ||
 		     attr[IPSET_ATTR_FAMILY] == NULL))
@@ -1469,6 +1502,9 @@ ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
 	struct nlmsghdr *nlh2;
 	int ret = 0;
 
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
 		return -IPSET_ERR_PROTOCOL;
 
@@ -1586,6 +1622,8 @@ ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
 
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
 	if (optval != SO_IP_SET)
 		return -EBADF;
 	if (*len &lt; sizeof(unsigned))


--===============4258178761526648822==--
]