[PATCH] net/unix: don't show information about sockets from other namespaces

[PATCH] net/unix: don't show information about sockets from other namespaces

[Andrei Vagin]

socket_diag shows information only about sockets from a namespace where
a diag socket lives.

But if we request information about one unix socket, the kernel don't
check that its netns is matched with a diag socket namespace, so any
user can get information about any unix socket in a system. This looks
like a bug.

Signed-off-by: Andrei Vagin <avagin@openvz.org>
---
 net/unix/diag.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/unix/diag.c b/net/unix/diag.c
index 4d96797..384c84e 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -257,6 +257,8 @@ static int unix_diag_get_exact(struct sk_buff *in_skb,
 	err = -ENOENT;
 	if (sk == NULL)
 		goto out_nosk;
+	if (!net_eq(sock_net(sk), net))
+		goto out;
 
 	err = sock_diag_check_cookie(sk, req->udiag_cookie);
 	if (err)
-- 
2.9.4

Re: [PATCH] net/unix: don't show information about sockets from other namespaces

[Eric Dumazet]

On Wed, 2017-10-25 at 00:17 -0700, Andrei Vagin wrote:
> socket_diag shows information only about sockets from a namespace where
> a diag socket lives.
> 
> But if we request information about one unix socket, the kernel don't
> check that its netns is matched with a diag socket namespace, so any
> user can get information about any unix socket in a system. This looks
> like a bug.

Then if this a bug please provide a Fixes: tag

This way, we can know exact cutoff for backports.

I suspect that would be 

Fixes: 51d7cccf0723 ("net: make sock diag per-namespace")

Thanks.

[PATCH v2] net/unix: don't show information about sockets from other namespaces

[Andrei Vagin]

socket_diag shows information only about sockets from a namespace where
a diag socket lives.

But if we request information about one unix socket, the kernel don't
check that its netns is matched with a diag socket namespace, so any
user can get information about any unix socket in a system. This looks
like a bug.

v2: add a Fixes tag

Fixes: 51d7cccf0723 ("net: make sock diag per-namespace")
Signed-off-by: Andrei Vagin <avagin@openvz.org>
---
 net/unix/diag.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/unix/diag.c b/net/unix/diag.c
index 4d9679701a6d..384c84e83462 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -257,6 +257,8 @@ static int unix_diag_get_exact(struct sk_buff *in_skb,
 	err = -ENOENT;
 	if (sk == NULL)
 		goto out_nosk;
+	if (!net_eq(sock_net(sk), net))
+		goto out;
 
 	err = sock_diag_check_cookie(sk, req->udiag_cookie);
 	if (err)
-- 
2.13.6

Re: [PATCH] net/unix: don't show information about sockets from other namespaces

[Andrei Vagin]

On Wed, Oct 25, 2017 at 06:37:16AM -0700, Eric Dumazet wrote:
> On Wed, 2017-10-25 at 00:17 -0700, Andrei Vagin wrote:
> > socket_diag shows information only about sockets from a namespace where
> > a diag socket lives.
> > 
> > But if we request information about one unix socket, the kernel don't
> > check that its netns is matched with a diag socket namespace, so any
> > user can get information about any unix socket in a system. This looks
> > like a bug.
> 
> Then if this a bug please provide a Fixes: tag
> 
> This way, we can know exact cutoff for backports.
> 
> I suspect that would be 
> 
> Fixes: 51d7cccf0723 ("net: make sock diag per-namespace")

Thank you, Eric. It's my fault, I forgot to add it.

> 
> Thanks.
> 
> 

Re: [PATCH v2] net/unix: don't show information about sockets from other namespaces

[David Miller]

From: Andrei Vagin <avagin@openvz.org>
Date: Wed, 25 Oct 2017 10:16:42 -0700

> socket_diag shows information only about sockets from a namespace where
> a diag socket lives.
> 
> But if we request information about one unix socket, the kernel don't
> check that its netns is matched with a diag socket namespace, so any
> user can get information about any unix socket in a system. This looks
> like a bug.
> 
> v2: add a Fixes tag
> 
> Fixes: 51d7cccf0723 ("net: make sock diag per-namespace")
> Signed-off-by: Andrei Vagin <avagin@openvz.org>

Applied and queued up for -stable, thanks!