Received: by 10.223.176.5 with SMTP id f5csp656938wra; Tue, 6 Feb 2018 05:21:10 -0800 (PST) X-Google-Smtp-Source: AH8x2248TYDnZuPcLpCzfk7bxtXCqz8Yt2rrVn3kogGAEpbcKTBX+yNvue5oBr0LKIadDgpPcIKn X-Received: by 10.98.18.10 with SMTP id a10mr2463521pfj.140.1517923270101; Tue, 06 Feb 2018 05:21:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517923270; cv=none; d=google.com; s=arc-20160816; b=vwzB31ZotRd3PGRUbX/c8VCgyYWHki5jsIZC+jRXOloButo7byhV0BcfRtbPNRc14z PNeRZmNB9mipsk7bn0VwazbRAQ8Uhmh7S87j8sizET2z1QFchl1DPghtNoG8iXtlbQCp PuFE/Dig6x28SHa8Cf0HTOZ04tjRS8QbJOk4D7UiB5Blpo0zm9tg+iJ5SW2S3iLREn1M UuPeDJTJJ5AxixydipcvaTzAOQyQfC6/QYdOv3P75TT757hFLgvLkscqHyvCTY4CGrnK jvZ/VU3kb/3kksZHwFZSOfNo02O6Wec9TCU/vlF8IQ6JfoCA5JNIl9AdKWM/4B3S6qgc D2SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=rxndHo+/PLIQ9Kd1VadkIFM2N76u3eOjKfFt4kovpdY=; b=hRt71T80cn/RFvuUq3EkYpEcoXQQpwmkxji02dmRPH8VzaE5I1JkEDdGIZ4ALVcKYZ MUm31nEpMbQ0OuY4DVk0uE8ujjmX6x1U1PqYayaBceRnbqKwRDebX/0ERt0/zq9aQ9JF lhYJubA3qFbl9teCe91YeRT82VVjyuGSzuL7cbUTnabI2Md5R59mzAK0QV75ntCOxChy MXt2icxGQYJlG8zTjXGzaE2p5N9bRgCN8wsx/F4iv2n68Or1SxXEO/QWmpSC3JT1LQ2t qxPbi8GzOEIl1ckl3Fmk09EV8TUXBbOZY2o7THct490VaaarPEFAF34u6ZmHcWGymzTa NklA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o4si5023pgq.710.2018.02.06.05.20.55; Tue, 06 Feb 2018 05:21:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753022AbeBFNUP (ORCPT + 99 others); Tue, 6 Feb 2018 08:20:15 -0500 Received: from mail-wr0-f196.google.com ([209.85.128.196]:42396 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751988AbeBFNTt (ORCPT ); Tue, 6 Feb 2018 08:19:49 -0500 Received: by mail-wr0-f196.google.com with SMTP id 41so1887199wrc.9; Tue, 06 Feb 2018 05:19:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=rxndHo+/PLIQ9Kd1VadkIFM2N76u3eOjKfFt4kovpdY=; b=UnDDOFXTZDy8EcBM+SSD4DooYNN4f3mzenCrY16yXI7ynx1kqERYzP5DmB6I2GwrWw /gnGyNgQolL5a1/th83GJy0kznhjxaogJGBT99bVA+XRkyJGdPNAPGItOyO0kXNFbJ1L Sk5KaykYkL9zxp2dbAnggm/RRoyfzKy7zH70P2lulCygyd5bNUauyGPE+9+Gj9pZhNzZ E9xhx8+NHzbzzGkGp9Wgutc0MhZ044YFLvVEXvKtRYVLzVgNqF8bIiYwXQHVZC32ENfe SdfK31wIXCZ5aVAYvI+JmQINpAW8qeJLYBDZhte5MyLB0I6E0YBswCEu4mAn7wBprTCv +ENA== X-Gm-Message-State: APf1xPD9qTewX2Zwdttesl0M3sNWrOAwGbTAfQOVJUHw9yw6VO0Urz4r J1AgsLTtpS0YfrKW8WzxeJJAJYrttLI= X-Received: by 10.223.152.20 with SMTP id v20mr2163832wrb.222.1517923187594; Tue, 06 Feb 2018 05:19:47 -0800 (PST) Received: from localhost.localdomain (eap104082.extern.uni-tuebingen.de. [134.2.104.82]) by smtp.gmail.com with ESMTPSA id s63sm7532369wrc.64.2018.02.06.05.19.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Feb 2018 05:19:47 -0800 (PST) From: Christian Brauner To: netdev@vger.kernel.org Cc: ktkhai@virtuozzo.com, stephen@networkplumber.org, w.bumiller@proxmox.com, ebiederm@xmission.com, jbenc@redhat.com, nicolas.dichtel@6wind.com, linux-kernel@vger.kernel.org, dsahern@gmail.com, davem@davemloft.net, Christian Brauner Subject: [PATCH net 1/1 v3] rtnetlink: require unique netns identifier Date: Tue, 6 Feb 2018 14:19:02 +0100 Message-Id: <20180206131902.31937-2-christian.brauner@ubuntu.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180206131902.31937-1-christian.brauner@ubuntu.com> References: <20180206131902.31937-1-christian.brauner@ubuntu.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since we've added support for IFLA_IF_NETNSID for RTM_{DEL,GET,SET,NEW}LINK it is possible for userspace to send us requests with three different properties to identify a target network namespace. This affects at least RTM_{NEW,SET}LINK. Each of them could potentially refer to a different network namespace which is confusing and a potential security liability given that pids might be recycled while the netlink request is served or the process might do a setns. It also lets us indicate that network namespace ids are the preferred way of interacting with network namespaces in rtnetlink requests. The regression potential is quite minimal since the rtnetlink requests in question either won't allow IFLA_IF_NETNSID requests before 4.16 is out (RTM_{NEW,SET}LINK) or don't support IFLA_NET_NS_{PID,FD} (RTM_{DEL,GET}LINK) in the first place. Signed-off-by: Christian Brauner --- ChangeLog v2->v3: * Specifying target network namespaces with pids or fds seems racy since the process might die and the pid get recycled or the process does a setns() in which case the tests would be invalid. So only check whether multiple properties are specified and report a helpful error in this case. ChangeLog v1->v2: * return errno when the specified network namespace id is invalid * fill in struct netlink_ext_ack if the network namespace id is invalid * rename rtnl_ensure_unique_netns_attr() to rtnl_ensure_unique_netns() to indicate that a request without any network namespace identifying attributes is also considered valid. ChangeLog v0->v1: * report a descriptive error to userspace via struct netlink_ext_ack * do not fail when multiple properties specifiy the same network namespace --- net/core/rtnetlink.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 56af8e41abfc..d7c3c8e266a3 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1951,6 +1951,28 @@ static struct net *rtnl_link_get_net_capable(const struct sk_buff *skb, return net; } +/* Verify that rtnetlink requests supporting network namespace ids + * do not pass additional properties potentially referring to different + * network namespaces. + */ +static int rtnl_ensure_unique_netns(struct nlattr *tb[], + struct netlink_ext_ack *extack) +{ + /* Requests without network namespace ids have been able to specify + * multiple properties referring to different network namespaces so + * don't regress them. + */ + if (!tb[IFLA_IF_NETNSID]) + return 0; + + /* Caller operates on the current network namespace. */ + if (!tb[IFLA_NET_NS_PID] && !tb[IFLA_NET_NS_FD]) + return 0; + + NL_SET_ERR_MSG(extack, "multiple netns identifying attributes specified"); + return -EINVAL; +} + static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[]) { if (dev) { @@ -2553,6 +2575,10 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh, if (err < 0) goto errout; + err = rtnl_ensure_unique_netns(tb, extack); + if (err < 0) + goto errout; + if (tb[IFLA_IFNAME]) nla_strlcpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ); else @@ -2649,6 +2675,10 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, if (err < 0) return err; + err = rtnl_ensure_unique_netns(tb, extack); + if (err < 0) + return err; + if (tb[IFLA_IFNAME]) nla_strlcpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ); @@ -2802,6 +2832,10 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, if (err < 0) return err; + err = rtnl_ensure_unique_netns(tb, extack); + if (err < 0) + return err; + if (tb[IFLA_IFNAME]) nla_strlcpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ); else @@ -3045,6 +3079,10 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh, if (err < 0) return err; + err = rtnl_ensure_unique_netns(tb, extack); + if (err < 0) + return err; + if (tb[IFLA_IF_NETNSID]) { netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]); tgt_net = get_target_net(NETLINK_CB(skb).sk, netnsid); -- 2.14.1