From: Jiri Benc <jbenc@redhat.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: netdev@vger.kernel.org, ktkhai@virtuozzo.com,
stephen@networkplumber.org, w.bumiller@proxmox.com,
ebiederm@xmission.com, nicolas.dichtel@6wind.com,
linux-kernel@vger.kernel.org, dsahern@gmail.com,
davem@davemloft.net
Subject: Re: [PATCH net 1/1 v3] rtnetlink: require unique netns identifier
Date: Wed, 7 Feb 2018 12:19:25 +0100 [thread overview]
Message-ID: <20180207121925.5fa1e534@redhat.com> (raw)
In-Reply-To: <20180206131902.31937-2-christian.brauner@ubuntu.com>
On Tue, 6 Feb 2018 14:19:02 +0100, Christian Brauner wrote:
> +/* Verify that rtnetlink requests supporting network namespace ids
> + * do not pass additional properties potentially referring to different
> + * network namespaces.
> + */
> +static int rtnl_ensure_unique_netns(struct nlattr *tb[],
> + struct netlink_ext_ack *extack)
> +{
> + /* Requests without network namespace ids have been able to specify
> + * multiple properties referring to different network namespaces so
> + * don't regress them.
> + */
> + if (!tb[IFLA_IF_NETNSID])
> + return 0;
I agree with Eric that we should enforce this also for the existing
pid/fd attributes.
> +
> + /* Caller operates on the current network namespace. */
> + if (!tb[IFLA_NET_NS_PID] && !tb[IFLA_NET_NS_FD])
> + return 0;
> +
> + NL_SET_ERR_MSG(extack, "multiple netns identifying attributes specified");
> + return -EINVAL;
But if we don't reach an agreement on that, this version is the next
best one. No reason to compare the namespaces whether they're the same,
a message with more than one such attribute is just invalid.
> @@ -2649,6 +2675,10 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
> if (err < 0)
> return err;
>
> + err = rtnl_ensure_unique_netns(tb, extack);
> + if (err < 0)
> + return err;
> +
> if (tb[IFLA_IFNAME])
> nla_strlcpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
>
> @@ -3045,6 +3079,10 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh,
> if (err < 0)
> return err;
>
> + err = rtnl_ensure_unique_netns(tb, extack);
> + if (err < 0)
> + return err;
> +
> if (tb[IFLA_IF_NETNSID]) {
> netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]);
> tgt_net = get_target_net(NETLINK_CB(skb).sk, netnsid);
dellink and getlink support only netnsid, we should just reject a
message with pid or fd set.
Jiri
next prev parent reply other threads:[~2018-02-07 11:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-06 13:19 [PATCH net 0/1 v3] rtnetlink: require unique netns identifier Christian Brauner
2018-02-06 13:19 ` [PATCH net 1/1 " Christian Brauner
2018-02-07 11:19 ` Jiri Benc [this message]
2018-02-07 11:50 ` Christian Brauner
2018-02-07 15:20 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180207121925.5fa1e534@redhat.com \
--to=jbenc@redhat.com \
--cc=christian.brauner@ubuntu.com \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=ebiederm@xmission.com \
--cc=ktkhai@virtuozzo.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=stephen@networkplumber.org \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.