On 11/23/2016 02:34 AM, Andrew Vagin wrote:
On Thu, Oct 27, 2016 at 06:50:17PM +0300, Pavel Tikhomirov wrote:
While reproducing the problem mentioned in patch 1 I found that
we need it to be able to configure vxlan fdb
https://jira.sw.ru/browse/PSBM-53629
Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
---
include/linux/ve.h | 4 ++--
kernel/ve/ve.c | 11 ++++++++++-
net/core/rtnetlink.c | 4 ++--
net/socket.c | 2 +-
4 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/include/linux/ve.h b/include/linux/ve.h
index ad40726..edff7e4 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -160,7 +160,7 @@ extern struct kobject * kobject_create_and_add_ve(const
char *name,
extern struct kmapset_set ve_sysfs_perms;
-extern int vz_security_family_check(struct net *net, int family);
+extern int vz_security_family_check(struct net *net, int family, int type);
extern int vz_security_protocol_check(struct net *net, int protocol);
extern struct task_struct *kthread_create_on_node_ve(struct ve_struct *ve,
@@ -247,7 +247,7 @@ static inline void ve_mount_nr_dec(void)
#define ve_uevent_seqnum uevent_seqnum
-static inline int vz_security_family_check(struct net *net, int family) {
return 0; }
+static inline int vz_security_family_check(struct net *net, int family, int
type) { return 0; }
static inline int vz_security_protocol_check(struct net *net, int protocol) {
return 0; }
#define ve_utsname system_utsname
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 8afff3d..df42759 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -41,6 +41,7 @@
#include <uapi/linux/vzcalluser.h>
#include <linux/venet.h>
#include <linux/vziptable_defs.h>
+#include <net/rtnetlink.h>
static struct kmem_cache *ve_cachep;
@@ -180,7 +181,7 @@ EXPORT_SYMBOL(get_ve_by_id);
EXPORT_SYMBOL(ve_list_lock);
EXPORT_SYMBOL(ve_list_head);
-int vz_security_family_check(struct net *net, int family)
+int vz_security_family_check(struct net *net, int family, int type)
Do you know why we need vz_security_family_check() in rhel7?
That is whitelist of protocols we support in VE, we need to
virtualize(or atleast check) all protocols we want to allow here.
{
if (ve_is_super(net->owner_ve))
return 0;
@@ -195,6 +196,14 @@ int vz_security_family_check(struct net *net, int family)
case PF_PPPOX:
case PF_KEY:
return 0;
+ case PF_BRIDGE:
+ if (type)
+ switch (type) {
+ case RTM_NEWNEIGH:
+ case RTM_DELNEIGH:
+ case RTM_GETNEIGH:
+ return 0;
+ }
default:
return -EAFNOSUPPORT;
}
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 8e72446..1ba3a9d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2325,7 +2325,7 @@ static int rtnl_dump_all(struct sk_buff *skb, struct
netlink_callback *cb)
if (rtnl_msg_handlers[idx] == NULL ||
rtnl_msg_handlers[idx][type].dumpit == NULL)
continue;
- if (vz_security_family_check(net, idx))
+ if (vz_security_family_check(net, idx, cb->nlh->nlmsg_type))
continue;
if (idx > s_idx) {
memset(&cb->args[0], 0, sizeof(cb->args));
@@ -3040,7 +3040,7 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
return 0;
family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
- if (vz_security_family_check(net, family))
+ if (vz_security_family_check(net, family, nlh->nlmsg_type))
return -EAFNOSUPPORT;
sz_idx = type>>2;
diff --git a/net/socket.c b/net/socket.c
index 7ec5de5..bb96466 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1264,7 +1264,7 @@ int __sock_create(struct net *net, int family, int type,
int protocol,
}
/* VZ compatibility layer */
- err = vz_security_family_check(net, family);
+ err = vz_security_family_check(net, family, 0);
if (err < 0)
return err;
--
2.7.4
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
