Received: by 10.223.176.5 with SMTP id f5csp619795wra;
        Wed, 7 Feb 2018 04:54:50 -0800 (PST)
X-Google-Smtp-Source: AH8x2267/w4J+By14HFAxtfRSE4WyZnn6xtWeSDma7qDkWm2hq8jJeCcOM/DRmrS28ZqRiOQviWG
X-Received: by 10.101.69.67 with SMTP id x3mr4898158pgr.69.1518008090375;
        Wed, 07 Feb 2018 04:54:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518008090; cv=none;
        d=google.com; s=arc-20160816;
        b=ZnKorDzVmYvJ2G7R7KVQQjuO1N5f0CcAFkMVeleREb107GI/mwgA3QBhGdva/oO1aA
         Px18hyqJg6nYSWhvBEatJpgoELI2di7rgfHCVcyKSLat5zn9kSZjKBWj2U+JeAm9mAXW
         Ma2K4eSM3pl88ieWaRNuuTAbvo4vI7A6atbYabVdtKjFBwS/Q/0W8iafD4knWTiB8YSW
         yqbGhd01swr1g+J9jjBDWuhc4HUqXCnnnX+/ciJA+uMZbVRKeBdy2pY2Uw/nUJswUrpg
         JgSOwWsGS3NdKLPqMc7SC+lcq9J0lMQ4AkEY8ZtFqphKawpmVHEHk74UeCSNw8Ho7Hs1
         1lfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:arc-authentication-results;
        bh=Ktc++6vrdeiTbO4EslcPub5J55UMQpypEekSi7Hj7ZI=;
        b=J/KcjKwpAzyWyiP7GHjCQuQo1sP9NO8uy61HrPjTBjvuL3PFwboa9WVRfNThDjEe5Y
         wx6l7omRRIwyBHvS0oXqes0NvcBae32EqRjwYfAVyEJmtaehLkXXyZNqqIFLbEhPo4vq
         ygEpb35rS9HCzflx7UGQXWzL0p4NpKM/5bum3CX4jEDnWhvnyuVr9HjRsymyUldgK6ul
         HQrmOPd53g+cUrR8OOeyPxLEtd+bw+t+ROpMRLIznlf9YAx9B5VUOCH+tOKYBLY32hE/
         r7EAI2nSbCbhtWpaxT99xcKgI0zM04LH4ISvCbEO1/gokM4HYuIMVfGokDBv/wzhzF09
         GTLQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z20-v6si1042028plo.73.2018.02.07.04.54.36;
        Wed, 07 Feb 2018 04:54:50 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754061AbeBGMxp (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Wed, 7 Feb 2018 07:53:45 -0500
Received: from mail-wm0-f67.google.com ([74.125.82.67]:35331 "EHLO
        mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753630AbeBGMx0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 7 Feb 2018 07:53:26 -0500
Received: by mail-wm0-f67.google.com with SMTP id r78so3152897wme.0;
        Wed, 07 Feb 2018 04:53:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=Ktc++6vrdeiTbO4EslcPub5J55UMQpypEekSi7Hj7ZI=;
        b=MUyvr/N8zq2E0D3uSE+hhGNcMVFZ36BIJI5ukM/bDFxo01CIwlJr40sZJL4Iw2Puc1
         HkYQXbGoSDYtypY16E/F3dWYzobCMBJw1ojtO6vaHYwsSmOxReqHXd42xMQy+/08rkHe
         JpssoLTvkMZJdvcSZWTaowFZOosyYzpgn7WglxU5yQBvxIuMDfVu30YDqcguzp5MbVQ+
         oTtc3vBWyDqZj7Yi+hPAMxayBk5lzMo38rc3mXshUHtQzxDIG7jLBUHBM2ITMipX6uGi
         vhtIoRTTzJgOra68uJa3SOffdKZNpPjLSom6q3KUvKKy97tHEC9HRRsPt22h/kSJThSx
         Ahaw==
X-Gm-Message-State: APf1xPD/fk5IWwWOeBMjQlPPjR5vLVmOmpnfd0g6VeUZeHeoJfmG4cqF
        7Prhjm2mzFxnCSLsHVOwG1wjjV2VKCE=
X-Received: by 10.28.69.87 with SMTP id s84mr4471228wma.107.1518008004652;
        Wed, 07 Feb 2018 04:53:24 -0800 (PST)
Received: from localhost.localdomain (eap108072.extern.uni-tuebingen.de. [134.2.108.72])
        by smtp.gmail.com with ESMTPSA id 78sm2382905wmm.22.2018.02.07.04.53.23
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 07 Feb 2018 04:53:24 -0800 (PST)
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     netdev@vger.kernel.org
Cc:     ktkhai@virtuozzo.com, stephen@networkplumber.org,
        w.bumiller@proxmox.com, ebiederm@xmission.com, jbenc@redhat.com,
        nicolas.dichtel@6wind.com, linux-kernel@vger.kernel.org,
        dsahern@gmail.com, davem@davemloft.net,
        Christian Brauner <christian.brauner@ubuntu.com>
Subject: [PATCH net 1/1 v4] rtnetlink: require unique netns identifier
Date:   Wed,  7 Feb 2018 13:53:20 +0100
Message-Id: <20180207125320.9103-2-christian.brauner@ubuntu.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20180207125320.9103-1-christian.brauner@ubuntu.com>
References: <20180207125320.9103-1-christian.brauner@ubuntu.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Since we've added support for IFLA_IF_NETNSID for RTM_{DEL,GET,SET,NEW}LINK
it is possible for userspace to send us requests with three different
properties to identify a target network namespace. This affects at least
RTM_{NEW,SET}LINK. Each of them could potentially refer to a different
network namespace which is confusing. For legacy reasons the kernel will
pick the IFLA_NET_NS_PID property first and then look for the
IFLA_NET_NS_FD property but there is no reason to extend this type of
behavior to network namespace ids. The regression potential is quite
minimal since the rtnetlink requests in question either won't allow
IFLA_IF_NETNSID requests before 4.16 is out (RTM_{NEW,SET}LINK) or don't
support IFLA_NET_NS_{PID,FD} (RTM_{DEL,GET}LINK) in the first place.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
ChangeLog v3->v4:
* Based on discussions with Eric and Jiri: disallow passing multiple network
  namespace identifying properties for all requests, i.e. always enforce
  uniqueness.
* disable passing IFLA_NET_NS_{FD,PID} for RTM_{DEL,GET}LINK completely since
  they never supported it
ChangeLog v2->v3:
* Specifying target network namespaces with pids or fds seems racy since the
  process might die and the pid get recycled or the process does a setns() in
  which case the tests would be invalid. So only check whether multiple
  properties are specified and report a helpful error in this case.
ChangeLog v1->v2:
* return errno when the specified network namespace id is invalid
* fill in struct netlink_ext_ack if the network namespace id is invalid
* rename rtnl_ensure_unique_netns_attr() to rtnl_ensure_unique_netns() to
  indicate that a request without any network namespace identifying attributes
  is also considered valid.
ChangeLog v0->v1:
* report a descriptive error to userspace via struct netlink_ext_ack
* do not fail when multiple properties specifiy the same network namespace
---
 net/core/rtnetlink.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 56af8e41abfc..bc290413a49d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1951,6 +1951,38 @@ static struct net *rtnl_link_get_net_capable(const struct sk_buff *skb,
 	return net;
 }
 
+/* Verify that rtnetlink requests do not pass additional properties
+ * potentially referring to different network namespaces.
+ */
+static int rtnl_ensure_unique_netns(struct nlattr *tb[],
+				    struct netlink_ext_ack *extack,
+				    bool netns_id_only)
+{
+
+	if (netns_id_only) {
+		if (!tb[IFLA_NET_NS_PID] && !tb[IFLA_NET_NS_FD])
+			return 0;
+
+		NL_SET_ERR_MSG(extack, "specified netns attribute not supported");
+		return -EOPNOTSUPP;
+	}
+
+	if (tb[IFLA_IF_NETNSID] && (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]))
+		goto invalid_attr;
+
+	if (tb[IFLA_NET_NS_PID] && (tb[IFLA_IF_NETNSID] || tb[IFLA_NET_NS_FD]))
+		goto invalid_attr;
+
+	if (tb[IFLA_NET_NS_FD] && (tb[IFLA_IF_NETNSID] || tb[IFLA_NET_NS_PID]))
+		goto invalid_attr;
+
+	return 0;
+
+invalid_attr:
+	NL_SET_ERR_MSG(extack, "multiple netns identifying attributes specified");
+	return -EINVAL;
+}
+
 static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[])
 {
 	if (dev) {
@@ -2553,6 +2585,10 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
 	if (err < 0)
 		goto errout;
 
+	err = rtnl_ensure_unique_netns(tb, extack, false);
+	if (err < 0)
+		goto errout;
+
 	if (tb[IFLA_IFNAME])
 		nla_strlcpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
 	else
@@ -2649,6 +2685,10 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
 	if (err < 0)
 		return err;
 
+	err = rtnl_ensure_unique_netns(tb, extack, true);
+	if (err < 0)
+		return err;
+
 	if (tb[IFLA_IFNAME])
 		nla_strlcpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
 
@@ -2802,6 +2842,10 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
 	if (err < 0)
 		return err;
 
+	err = rtnl_ensure_unique_netns(tb, extack, false);
+	if (err < 0)
+		return err;
+
 	if (tb[IFLA_IFNAME])
 		nla_strlcpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
 	else
@@ -3045,6 +3089,10 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh,
 	if (err < 0)
 		return err;
 
+	err = rtnl_ensure_unique_netns(tb, extack, true);
+	if (err < 0)
+		return err;
+
 	if (tb[IFLA_IF_NETNSID]) {
 		netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]);
 		tgt_net = get_target_net(NETLINK_CB(skb).sk, netnsid);
-- 
2.14.1