Received: by 10.223.176.46 with SMTP id f43csp820328wra; Wed, 24 Jan 2018 06:29:00 -0800 (PST) X-Google-Smtp-Source: AH8x226etATw1KoBs5vSyrfx1KUw0dqKBz4GrfeaDlOTwcTYMz3aVxHHsNtlJLByTLjrZsQF4xRT X-Received: by 2002:a17:902:12f:: with SMTP id 44-v6mr6672411plb.403.1516804140743; Wed, 24 Jan 2018 06:29:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516804140; cv=none; d=google.com; s=arc-20160816; b=mwEPPwyBVRxO1jqSCZ19tkQjMA5vgkn+ld3id1XAqpWqr2bUVXK2ktu0smm3qAI3EH ZE897ySgf4CGyX5xadnB+acEkzp2d3f1rf+/5HDAu2oIAzGY10X2rPOmEwsY7hfgHKz2 /jgc/lqbhKU8KHB3C1Yp/QkKUlEHdk7+/h/3lA6/hsGtJ2CL2Bj58J8JYWLW1fHnf+eR 1XJU0WE/iiZXXNDGPslSmKOfBmiRcJmlTZs14IhdAyA8LdfiiMzpyp3PQLcmlGfhMyrL b/G/7tK895juBr6trV2vvRsdnCnrc2IU9Y++sROjaEtD5GgIz2yonczSes/Y3EQrHx5f 1xRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=BhfEN5Mf5UuKQhZVxyUjz4oYnK3BHOwfV4rSRL212T4=; b=YywmRZMQ/SteKKn8SEVSPQp6E3qNMpR3PblqoqdzHuhC7aYBfeEFACT3lbK5gTZ1Rn T1Ir+fgJrAqmmeGWemJn0edzDl47LkY53kAE9mG4dNqvhHUXn7g/zHaHjZpdAkOP5Lnl HRDcwhmDgu7xDkPXtLBxCHjdH4bs7NRvm7Stk86yDpPE9iHZvKafbjgOWhciCrTVh/5E HZFc3liIhBMvhRbh/tGUhHNkfbMgsn91KfQ1Sa8HlNRlz9lMYfebNSdkfei85i35iAZx 0NglchC9yefz4DdIsSrMDolx/y678wEkIeqwYrOmqj+IMUXR7pmm366j6qZzz+OFpM8b ZUZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=an7/VJ0e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h20si219761pgn.117.2018.01.24.06.28.47; Wed, 24 Jan 2018 06:29:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=an7/VJ0e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934095AbeAXO1n (ORCPT + 99 others); Wed, 24 Jan 2018 09:27:43 -0500 Received: from mail-wr0-f195.google.com ([209.85.128.195]:34556 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933941AbeAXO0t (ORCPT ); Wed, 24 Jan 2018 09:26:49 -0500 Received: by mail-wr0-f195.google.com with SMTP id 36so4253893wrh.1; Wed, 24 Jan 2018 06:26:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=BhfEN5Mf5UuKQhZVxyUjz4oYnK3BHOwfV4rSRL212T4=; b=an7/VJ0e4WPe1/DuWfNZlknha1Ggw2nM2WifFGtYDfZJ2BAsXGJ++gZQJmDS2RRoN6 Akb0oRN/OgQEAb6KzzUmMzCSxJJH34vqMmJAWg/3rx8j7tUYNSzYcxd5jxSibxiHDRX8 tiXE+/Flyh8U6eDKL+TJh7Zh4fFK4ZGrejvZKV4doPKv5vejAWahcq8lPSR5kKybR2go sCEykSmIZwJoQQ5n5JJy+9stqJY12feUUX4g749ZhV+8TSv9xellFcD4n6e2oDwZD2FQ ptCdWjTsNQcrqykoD7kwWttB99Uxx8LISTm1n/0yTwMYAGzY85uWlT7UlEh0Ts0ZCIF7 l6Tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=BhfEN5Mf5UuKQhZVxyUjz4oYnK3BHOwfV4rSRL212T4=; b=CC0H/GbUjSjDRJNFHme3Dwg6B1vm/H0eEDx4XisKButFz9DdSeka9/qv1+lDrHN8TO 8ZOe95m4Ykd9fEQPJEm7dK2xlmZN8MS320jUE9fiVy0f4QCk36nU4DlFklsJHKwWpp0E 7B9TZ472+Zuh89yzQs2UxTfe4CtfEe0655zGwyCgSZ0yXPKJavzm7Wf+J9LeeMG1wKqZ ig7u3rc8H5snrAgUJh93P0Tbldg2Shwsst5x3NRFTUsTtytNeTOgKorJ+aaQVMX7mD/S RR9oULx6czHU17ehw6NRPLngzprQ9UrfO5I40TMYUbnlg0N840kZofkBOnlt64e5mBwr +wuA== X-Gm-Message-State: AKwxytcQCdbGU/j84IZXea70PSIYbKHj50G9P+PgwScMMXZxvCydHYfu ByAB5Y8MLQU0MbeDEza7KgbSfSceI48= X-Received: by 10.223.177.196 with SMTP id r4mr5443176wra.244.1516804007856; Wed, 24 Jan 2018 06:26:47 -0800 (PST) Received: from localhost.localdomain (eap108107.extern.uni-tuebingen.de. [134.2.108.107]) by smtp.gmail.com with ESMTPSA id q48sm3992178wrb.31.2018.01.24.06.26.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jan 2018 06:26:47 -0800 (PST) From: Christian Brauner X-Google-Original-From: Christian Brauner To: netdev@vger.kernel.org Cc: ebiederm@xmission.com, davem@davemloft.net, dsahern@gmail.com, fw@strlen.de, daniel@iogearbox.net, lucien.xin@gmail.com, mschiffer@universe-factory.net, jakub.kicinski@netronome.com, vyasevich@gmail.com, linux-kernel@vger.kernel.org, jbenc@redhat.com, w.bumiller@proxmox.com, nicolas.dichtel@6wind.com, Christian Brauner Subject: [PATCH net-next 1/3 V1] rtnetlink: enable IFLA_IF_NETNSID in do_setlink() Date: Wed, 24 Jan 2018 15:26:32 +0100 Message-Id: <20180124142634.17766-2-christian.brauner@ubuntu.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180124142634.17766-1-christian.brauner@ubuntu.com> References: <20180124142634.17766-1-christian.brauner@ubuntu.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org RTM_{NEW,SET}LINK already allow operations on other network namespaces by identifying the target network namespace through IFLA_NET_NS_{FD,PID} properties. This is done by looking for the corresponding properties in do_setlink(). Extend do_setlink() to also look for the IFLA_IF_NETNSID property. This introduces no functional changes since all callers of do_setlink() currently block IFLA_IF_NETNSID by reporting an error before they reach do_setlink(). This introduces the helpers: static struct net *rtnl_link_get_net_by_nlattr(struct net *src_net, struct nlattr *tb[]) static struct net *rtnl_link_get_net_capable(const struct sk_buff *skb, struct net *src_net, struct nlattr *tb[], int cap) to simplify permission checks and target network namespace retrieval for RTM_* requests that already support IFLA_NET_NS_{FD,PID} but get extended to IFLA_IF_NETNSID. To perserve backwards compatibility the helpers look for IFLA_NET_NS_{FD,PID} properties first before checking for IFLA_IF_NETNSID. Signed-off-by: Christian Brauner --- net/core/rtnetlink.c | 54 +++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 47 insertions(+), 7 deletions(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 16d644a4f974..54134187485b 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1893,6 +1893,49 @@ struct net *rtnl_link_get_net(struct net *src_net, struct nlattr *tb[]) } EXPORT_SYMBOL(rtnl_link_get_net); +/* Figure out which network namespace we are talking about by + * examining the link attributes in the following order: + * + * 1. IFLA_NET_NS_PID + * 2. IFLA_NET_NS_FD + * 3. IFLA_IF_NETNSID + */ +static struct net *rtnl_link_get_net_by_nlattr(struct net *src_net, + struct nlattr *tb[]) +{ + struct net *net; + + if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) + return rtnl_link_get_net(src_net, tb); + + if (!tb[IFLA_IF_NETNSID]) + return get_net(src_net); + + net = get_net_ns_by_id(src_net, nla_get_u32(tb[IFLA_IF_NETNSID])); + if (!net) + return ERR_PTR(-EINVAL); + + return net; +} + +static struct net *rtnl_link_get_net_capable(const struct sk_buff *skb, + struct net *src_net, + struct nlattr *tb[], int cap) +{ + struct net *net; + + net = rtnl_link_get_net_by_nlattr(src_net, tb); + if (IS_ERR(net)) + return net; + + if (!netlink_ns_capable(skb, net->user_ns, cap)) { + put_net(net); + return ERR_PTR(-EPERM); + } + + return net; +} + static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[]) { if (dev) { @@ -2155,17 +2198,14 @@ static int do_setlink(const struct sk_buff *skb, const struct net_device_ops *ops = dev->netdev_ops; int err; - if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) { - struct net *net = rtnl_link_get_net(dev_net(dev), tb); + if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD] || tb[IFLA_IF_NETNSID]) { + struct net *net = rtnl_link_get_net_capable(skb, dev_net(dev), + tb, CAP_NET_ADMIN); if (IS_ERR(net)) { err = PTR_ERR(net); goto errout; } - if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) { - put_net(net); - err = -EPERM; - goto errout; - } + err = dev_change_net_namespace(dev, net, ifname); put_net(net); if (err) -- 2.14.1