[PATCH net-next 0/5] sock_diag: monitor packet sockets

[PATCH net-next 0/5] sock_diag: monitor packet sockets

[Nicolas Dichtel]

The goal of this patchset is to be able to monitor packet sockets.
The two first patches add new attributes for packet_diag subsystem, so that all
information exported via the /proc/net/packet are also exported via netlink.
The third patch allows the user to get details about filter attached to a packet
socket.
Then, the two last one enable sockets monitoring. A netlink message is sent each
time a packet socket is created, deleted or when the filter information are
updated.

As usual, the patch against iproute2 will be sent once the patches are included and
net-next merged. I can send it on demand.
With this serie, the tools ss can monitor packet sockets activity.

 include/linux/sock_diag.h        |  4 +++
 include/uapi/linux/packet_diag.h |  5 +++
 include/uapi/linux/sock_diag.h   | 13 +++++++-
 net/core/filter.c                |  3 ++
 net/core/sock_diag.c             | 68 ++++++++++++++++++++++++++++++++++++++++
 net/packet/af_packet.c           |  4 +++
 net/packet/diag.c                | 49 +++++++++++++++++++++++++----
 7 files changed, 139 insertions(+), 7 deletions(-)

Comments are welcome.

Regards,
Nicolas

[PATCH net-next 1/5] packet_diag: disclose uid value

[Nicolas Dichtel]

This value is disclosed via /proc/net/packet but not via netlink messages.
The goal is to have the same level of information.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/uapi/linux/packet_diag.h |  1 +
 net/packet/diag.c                | 19 ++++++++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index afafd70..84f83a4 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -32,6 +32,7 @@ enum {
 	PACKET_DIAG_RX_RING,
 	PACKET_DIAG_TX_RING,
 	PACKET_DIAG_FANOUT,
+	PACKET_DIAG_UID,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/packet/diag.c b/net/packet/diag.c
index d3fcd1e..04c8219 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -125,8 +125,10 @@ static int pdiag_put_fanout(struct packet_sock *po, struct sk_buff *nlskb)
 	return ret;
 }
 
-static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct packet_diag_req *req,
-		u32 portid, u32 seq, u32 flags, int sk_ino)
+static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
+			struct packet_diag_req *req,
+			struct user_namespace *user_ns,
+			u32 portid, u32 seq, u32 flags, int sk_ino)
 {
 	struct nlmsghdr *nlh;
 	struct packet_diag_msg *rp;
@@ -147,6 +149,11 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct packet_diag
 			pdiag_put_info(po, skb))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_INFO) &&
+	    nla_put_u32(skb, PACKET_DIAG_UID,
+			from_kuid_munged(user_ns, sock_i_uid(sk))))
+		goto out_nlmsg_trim;
+
 	if ((req->pdiag_show & PACKET_SHOW_MCLIST) &&
 			pdiag_put_mclist(po, skb))
 		goto out_nlmsg_trim;
@@ -183,9 +190,11 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
 		if (num < s_num)
 			goto next;
 
-		if (sk_diag_fill(sk, skb, req, NETLINK_CB(cb->skb).portid,
-					cb->nlh->nlmsg_seq, NLM_F_MULTI,
-					sock_i_ino(sk)) < 0)
+		if (sk_diag_fill(sk, skb, req,
+				 sk_user_ns(NETLINK_CB(cb->skb).sk),
+				 NETLINK_CB(cb->skb).portid,
+				 cb->nlh->nlmsg_seq, NLM_F_MULTI,
+				 sock_i_ino(sk)) < 0)
 			goto done;
 next:
 		num++;
-- 
1.8.2.1

[PATCH net-next 2/5] packet_diag: disclose meminfo values

[Nicolas Dichtel]

sk_rmem_alloc is disclosed via /proc/net/packet but not via netlink messages.
The goal is to have the same level of information.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/uapi/linux/packet_diag.h | 2 ++
 net/packet/diag.c                | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index 84f83a4..c0802c1 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -16,6 +16,7 @@ struct packet_diag_req {
 #define PACKET_SHOW_MCLIST	0x00000002 /* A set of packet_diag_mclist-s */
 #define PACKET_SHOW_RING_CFG	0x00000004 /* Rings configuration parameters */
 #define PACKET_SHOW_FANOUT	0x00000008
+#define PACKET_SHOW_MEMINFO	0x00000010
 
 struct packet_diag_msg {
 	__u8	pdiag_family;
@@ -33,6 +34,7 @@ enum {
 	PACKET_DIAG_TX_RING,
 	PACKET_DIAG_FANOUT,
 	PACKET_DIAG_UID,
+	PACKET_DIAG_MEMINFO,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 04c8219..822fe9b 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -166,6 +166,10 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			pdiag_put_fanout(po, skb))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_MEMINFO) &&
+	    sock_diag_put_meminfo(sk, skb, PACKET_DIAG_MEMINFO))
+		goto out_nlmsg_trim;
+
 	return nlmsg_end(skb, nlh);
 
 out_nlmsg_trim:
-- 
1.8.2.1

[PATCH net-next 3/5] sock_diag: allow to dump bpf filters

[Nicolas Dichtel]

This patch allows to dump BPF filters attached to a socket. For now, only packet
sockets use this feature.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/linux/sock_diag.h        |  2 ++
 include/uapi/linux/packet_diag.h |  2 ++
 net/core/sock_diag.c             | 27 +++++++++++++++++++++++++++
 net/packet/diag.c                |  4 ++++
 4 files changed, 35 insertions(+)

diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index e8d702e..3957c14 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -22,5 +22,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie);
 void sock_diag_save_cookie(void *sk, __u32 *cookie);
 
 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
+int sock_diag_put_filterinfo(struct sock *sk, struct sk_buff *skb,
+			     int attrtype);
 
 #endif
diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index c0802c1..b2cc0cd 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -17,6 +17,7 @@ struct packet_diag_req {
 #define PACKET_SHOW_RING_CFG	0x00000004 /* Rings configuration parameters */
 #define PACKET_SHOW_FANOUT	0x00000008
 #define PACKET_SHOW_MEMINFO	0x00000010
+#define PACKET_SHOW_FILTER	0x00000020
 
 struct packet_diag_msg {
 	__u8	pdiag_family;
@@ -35,6 +36,7 @@ enum {
 	PACKET_DIAG_FANOUT,
 	PACKET_DIAG_UID,
 	PACKET_DIAG_MEMINFO,
+	PACKET_DIAG_FILTER,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index a29e90c..51e75f4 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -49,6 +49,33 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype)
 }
 EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
 
+int sock_diag_put_filterinfo(struct sock *sk, struct sk_buff *skb, int attrtype)
+{
+	struct nlattr *attr;
+	struct sk_filter *filter;
+	unsigned int len;
+	int err = 0;
+
+	rcu_read_lock();
+
+	filter = rcu_dereference(sk->sk_filter);
+	len = filter ? filter->len * sizeof(struct sock_filter) : 0;
+
+	attr = nla_reserve(skb, attrtype, len);
+	if (attr == NULL) {
+		err = -EMSGSIZE;
+		goto out;
+	}
+
+	if (filter)
+		memcpy(nla_data(attr), filter->insns, len);
+
+out:
+	rcu_read_unlock();
+	return err;
+}
+EXPORT_SYMBOL(sock_diag_put_filterinfo);
+
 void sock_diag_register_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh))
 {
 	mutex_lock(&sock_diag_table_mutex);
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 822fe9b..ec8b6e8 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -170,6 +170,10 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 	    sock_diag_put_meminfo(sk, skb, PACKET_DIAG_MEMINFO))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
+	    sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER))
+		goto out_nlmsg_trim;
+
 	return nlmsg_end(skb, nlh);
 
 out_nlmsg_trim:
-- 
1.8.2.1

[PATCH net-next 4/5] sock_diag: notify packet socket creation/deletion

[Nicolas Dichtel]

With this patch, a netlink message is sent each time a packet socket is created
or deleted.
The framework is generic, so it's easy to add the notification for other kind of
sockets.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/linux/sock_diag.h      |  2 ++
 include/uapi/linux/sock_diag.h | 13 ++++++++++++-
 net/core/sock_diag.c           | 41 +++++++++++++++++++++++++++++++++++++++++
 net/packet/af_packet.c         |  4 ++++
 net/packet/diag.c              | 28 ++++++++++++++++++++++++----
 5 files changed, 83 insertions(+), 5 deletions(-)

diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index 3957c14..3c8de5a 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -10,6 +10,7 @@ struct sock;
 struct sock_diag_handler {
 	__u8 family;
 	int (*dump)(struct sk_buff *skb, struct nlmsghdr *nlh);
+	int (*notify)(struct sk_buff *skb, struct sock *sk, bool create);
 };
 
 int sock_diag_register(const struct sock_diag_handler *h);
@@ -24,5 +25,6 @@ void sock_diag_save_cookie(void *sk, __u32 *cookie);
 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
 int sock_diag_put_filterinfo(struct sock *sk, struct sk_buff *skb,
 			     int attrtype);
+int sock_diag_notify(struct sock *sk, bool create);
 
 #endif
diff --git a/include/uapi/linux/sock_diag.h b/include/uapi/linux/sock_diag.h
index b00e29e..9e9ffa0 100644
--- a/include/uapi/linux/sock_diag.h
+++ b/include/uapi/linux/sock_diag.h
@@ -3,7 +3,18 @@
 
 #include <linux/types.h>
 
-#define SOCK_DIAG_BY_FAMILY 20
+#define SOCK_DIAG_BY_FAMILY	20
+#define SOCK_DIAG_BY_FAMILY_DEL	21
+
+/* SOCK_DIAG multicast groups */
+enum nldiag_groups {
+	NLDIAGGRP_NONE,
+#define NLDIAGGRP_NONE		NLDIAGGRP_NONE
+	NLDIAGGRP_NOTIFY,
+#define NLDIAGGRP_NOTIFY	NLDIAGGRP_NOTIFY
+	__NLDIAGGRP_MAX
+};
+#define NLDIAGGRP_MAX	(__NLDIAGGRP_MAX - 1)
 
 struct sock_diag_req {
 	__u8	sdiag_family;
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 51e75f4..fec6e91 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -186,6 +186,47 @@ static void sock_diag_rcv(struct sk_buff *skb)
 	mutex_unlock(&sock_diag_mutex);
 }
 
+int sock_diag_notify(struct sock *sk, bool create)
+{
+	const struct sock_diag_handler *hndl;
+	int err;
+
+	if (sock_diag_handlers[sk->sk_family] == NULL)
+		request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+				NETLINK_SOCK_DIAG, sk->sk_family);
+
+	mutex_lock(&sock_diag_table_mutex);
+	hndl = sock_diag_handlers[sk->sk_family];
+	if (hndl == NULL)
+		err = -ENOENT;
+	else if (hndl->notify == NULL)
+		err = -ENOSYS;
+	else {
+		struct net *net = sock_net(sk);
+		struct sock *nlsk = net->diag_nlsk;
+		struct sk_buff *skb;
+
+		skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
+		if (skb == NULL) {
+			err = -ENOBUFS;
+			goto out;
+		}
+
+		err = hndl->notify(skb, sk, create);
+		if (err) {
+			nlmsg_free(skb);
+			goto out;
+		}
+
+		err = nlmsg_notify(nlsk, skb, 0, NLDIAGGRP_NOTIFY, 0,
+				   GFP_KERNEL);
+	}
+out:
+	mutex_unlock(&sock_diag_table_mutex);
+
+	return err;
+}
+
 static int __net_init diag_net_init(struct net *net)
 {
 	struct netlink_kernel_cfg cfg = {
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 7e387ff..6b11da1 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -88,6 +88,7 @@
 #include <linux/virtio_net.h>
 #include <linux/errqueue.h>
 #include <linux/net_tstamp.h>
+#include <linux/sock_diag.h>
 
 #ifdef CONFIG_INET
 #include <net/inet_common.h>
@@ -2379,6 +2380,8 @@ static int packet_release(struct socket *sock)
 	if (!sk)
 		return 0;
 
+	sock_diag_notify(sk, 0);
+
 	net = sock_net(sk);
 	po = pkt_sk(sk);
 
@@ -2597,6 +2600,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
 	sock_prot_inuse_add(net, &packet_proto, 1);
 	preempt_enable();
 
+	sock_diag_notify(sk, 1);
 	return 0;
 out:
 	return err;
diff --git a/net/packet/diag.c b/net/packet/diag.c
index ec8b6e8..377a45b 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -128,13 +128,13 @@ static int pdiag_put_fanout(struct packet_sock *po, struct sk_buff *nlskb)
 static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			struct packet_diag_req *req,
 			struct user_namespace *user_ns,
-			u32 portid, u32 seq, u32 flags, int sk_ino)
+			u32 portid, u32 seq, u32 flags, int sk_ino, int cmd)
 {
 	struct nlmsghdr *nlh;
 	struct packet_diag_msg *rp;
 	struct packet_sock *po = pkt_sk(sk);
 
-	nlh = nlmsg_put(skb, portid, seq, SOCK_DIAG_BY_FAMILY, sizeof(*rp), flags);
+	nlh = nlmsg_put(skb, portid, seq, cmd, sizeof(*rp), flags);
 	if (!nlh)
 		return -EMSGSIZE;
 
@@ -149,7 +149,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			pdiag_put_info(po, skb))
 		goto out_nlmsg_trim;
 
-	if ((req->pdiag_show & PACKET_SHOW_INFO) &&
+	if ((req->pdiag_show & PACKET_SHOW_INFO) && user_ns &&
 	    nla_put_u32(skb, PACKET_DIAG_UID,
 			from_kuid_munged(user_ns, sock_i_uid(sk))))
 		goto out_nlmsg_trim;
@@ -202,7 +202,7 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
 				 sk_user_ns(NETLINK_CB(cb->skb).sk),
 				 NETLINK_CB(cb->skb).portid,
 				 cb->nlh->nlmsg_seq, NLM_F_MULTI,
-				 sock_i_ino(sk)) < 0)
+				 sock_i_ino(sk), SOCK_DIAG_BY_FAMILY) < 0)
 			goto done;
 next:
 		num++;
@@ -237,9 +237,29 @@ static int packet_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
 		return -EOPNOTSUPP;
 }
 
+static int packet_diag_handler_notify(struct sk_buff *skb, struct sock *sk,
+				      bool create)
+{
+	struct packet_diag_req req;
+	int err, cmd;
+
+	memset(&req, 0, sizeof(struct packet_diag_req));
+	if (create) {
+		req.pdiag_show |= PACKET_SHOW_INFO | PACKET_SHOW_MCLIST;
+		req.pdiag_show |= PACKET_SHOW_RING_CFG | PACKET_SHOW_FANOUT;
+		req.pdiag_show |= PACKET_SHOW_MEMINFO | PACKET_SHOW_FILTER;
+		cmd = SOCK_DIAG_BY_FAMILY;
+	} else
+		cmd = SOCK_DIAG_BY_FAMILY_DEL;
+
+	err = sk_diag_fill(sk, skb, &req, NULL, 0, 0, 0, sock_i_ino(sk), cmd);
+	return err > 0 ? 0 : err;
+}
+
 static const struct sock_diag_handler packet_diag_handler = {
 	.family = AF_PACKET,
 	.dump = packet_diag_handler_dump,
+	.notify = packet_diag_handler_notify,
 };
 
 static int __init packet_diag_init(void)
-- 
1.8.2.1

[PATCH net-next 5/5] sock_diag: notify when filter change

[Nicolas Dichtel]

Filter is advertised in packet diag messages, hence we may update the status
when a filter is updated.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 net/core/filter.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/core/filter.c b/net/core/filter.c
index dad2a17..8b08c7a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -40,6 +40,7 @@
 #include <linux/ratelimit.h>
 #include <linux/seccomp.h>
 #include <linux/if_vlan.h>
+#include <linux/sock_diag.h>
 
 /* No hurry in this branch
  *
@@ -755,6 +756,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
 
 	if (old_fp)
 		sk_filter_uncharge(sk, old_fp);
+	sock_diag_notify(sk, 1);
 	return 0;
 }
 EXPORT_SYMBOL_GPL(sk_attach_filter);
@@ -773,6 +775,7 @@ int sk_detach_filter(struct sock *sk)
 		RCU_INIT_POINTER(sk->sk_filter, NULL);
 		sk_filter_uncharge(sk, filter);
 		ret = 0;
+		sock_diag_notify(sk, 1);
 	}
 	return ret;
 }
-- 
1.8.2.1

Re: [PATCH net-next 3/5] sock_diag: allow to dump bpf filters

[Eric Dumazet]

On Tue, 2013-04-23 at 16:27 +0200, Nicolas Dichtel wrote:
> This patch allows to dump BPF filters attached to a socket. For now, only packet
> sockets use this feature.

A detailed changelog on security implication of such change would be
welcomed.

Thanks

Re: [PATCH net-next 5/5] sock_diag: notify when filter change

[Cong Wang]

On Tue, 23 Apr 2013 at 14:27 GMT, Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote:
> @@ -773,6 +775,7 @@ int sk_detach_filter(struct sock *sk)
>  		RCU_INIT_POINTER(sk->sk_filter, NULL);
>  		sk_filter_uncharge(sk, filter);
>  		ret = 0;
> +		sock_diag_notify(sk, 1);

Should be sock_diag_notify(sk, 0)?

BTW, use 'true' and 'false' instead of '1' and '0'.

Re: [PATCH net-next 5/5] sock_diag: notify when filter change

[Nicolas Dichtel]

Le 24/04/2013 10:05, Cong Wang a écrit :
> On Tue, 23 Apr 2013 at 14:27 GMT, Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote:
>> @@ -773,6 +775,7 @@ int sk_detach_filter(struct sock *sk)
>>   		RCU_INIT_POINTER(sk->sk_filter, NULL);
>>   		sk_filter_uncharge(sk, filter);
>>   		ret = 0;
>> +		sock_diag_notify(sk, 1);
>
> Should be sock_diag_notify(sk, 0)?
No, the filter is removed but the socket is still alive.
0 means that the socket is destroyed.

>
> BTW, use 'true' and 'false' instead of '1' and '0'.
Will do.

[PATCH net-next v2 0/5] sock_diag: monitor packet sockets

[Nicolas Dichtel]

The goal of this patchset is to be able to monitor packet sockets.
The two first patches add new attributes for packet_diag subsystem, so that all
information exported via the /proc/net/packet are also exported via netlink.
The third patch allows the user to get details about filter attached to a packet
socket.
Then, the two last one enable sockets monitoring. A netlink message is sent each
time a packet socket is created, deleted or when the filter information are
updated.

As usual, the patch against iproute2 will be sent once the patches are included
and net-next merged. I can send it on demand.
With this serie, the tools ss can monitor packet sockets activity.

v2: add sock_diag_notify_del() to avoid confusion of the meaning of the second
    arg of __sock_diag_notify()
    enhance commitlog of patch 3/5

 include/linux/sock_diag.h        |  6 ++++
 include/uapi/linux/packet_diag.h |  5 +++
 include/uapi/linux/sock_diag.h   | 13 +++++++-
 net/core/filter.c                |  3 ++
 net/core/sock_diag.c             | 68 ++++++++++++++++++++++++++++++++++++++++
 net/packet/af_packet.c           |  4 +++
 net/packet/diag.c                | 49 +++++++++++++++++++++++++----
 7 files changed, 141 insertions(+), 7 deletions(-)

Comments are welcome.

Regards,
Nicolas

[PATCH net-next v2 1/5] packet_diag: disclose uid value

[Nicolas Dichtel]

This value is disclosed via /proc/net/packet but not via netlink messages.
The goal is to have the same level of information.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/uapi/linux/packet_diag.h |  1 +
 net/packet/diag.c                | 19 ++++++++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index afafd70..84f83a4 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -32,6 +32,7 @@ enum {
 	PACKET_DIAG_RX_RING,
 	PACKET_DIAG_TX_RING,
 	PACKET_DIAG_FANOUT,
+	PACKET_DIAG_UID,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/packet/diag.c b/net/packet/diag.c
index d3fcd1e..04c8219 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -125,8 +125,10 @@ static int pdiag_put_fanout(struct packet_sock *po, struct sk_buff *nlskb)
 	return ret;
 }
 
-static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct packet_diag_req *req,
-		u32 portid, u32 seq, u32 flags, int sk_ino)
+static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
+			struct packet_diag_req *req,
+			struct user_namespace *user_ns,
+			u32 portid, u32 seq, u32 flags, int sk_ino)
 {
 	struct nlmsghdr *nlh;
 	struct packet_diag_msg *rp;
@@ -147,6 +149,11 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct packet_diag
 			pdiag_put_info(po, skb))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_INFO) &&
+	    nla_put_u32(skb, PACKET_DIAG_UID,
+			from_kuid_munged(user_ns, sock_i_uid(sk))))
+		goto out_nlmsg_trim;
+
 	if ((req->pdiag_show & PACKET_SHOW_MCLIST) &&
 			pdiag_put_mclist(po, skb))
 		goto out_nlmsg_trim;
@@ -183,9 +190,11 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
 		if (num < s_num)
 			goto next;
 
-		if (sk_diag_fill(sk, skb, req, NETLINK_CB(cb->skb).portid,
-					cb->nlh->nlmsg_seq, NLM_F_MULTI,
-					sock_i_ino(sk)) < 0)
+		if (sk_diag_fill(sk, skb, req,
+				 sk_user_ns(NETLINK_CB(cb->skb).sk),
+				 NETLINK_CB(cb->skb).portid,
+				 cb->nlh->nlmsg_seq, NLM_F_MULTI,
+				 sock_i_ino(sk)) < 0)
 			goto done;
 next:
 		num++;
-- 
1.8.2.1

[PATCH net-next v2 2/5] packet_diag: disclose meminfo values

[Nicolas Dichtel]

sk_rmem_alloc is disclosed via /proc/net/packet but not via netlink messages.
The goal is to have the same level of information.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/uapi/linux/packet_diag.h | 2 ++
 net/packet/diag.c                | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index 84f83a4..c0802c1 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -16,6 +16,7 @@ struct packet_diag_req {
 #define PACKET_SHOW_MCLIST	0x00000002 /* A set of packet_diag_mclist-s */
 #define PACKET_SHOW_RING_CFG	0x00000004 /* Rings configuration parameters */
 #define PACKET_SHOW_FANOUT	0x00000008
+#define PACKET_SHOW_MEMINFO	0x00000010
 
 struct packet_diag_msg {
 	__u8	pdiag_family;
@@ -33,6 +34,7 @@ enum {
 	PACKET_DIAG_TX_RING,
 	PACKET_DIAG_FANOUT,
 	PACKET_DIAG_UID,
+	PACKET_DIAG_MEMINFO,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 04c8219..822fe9b 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -166,6 +166,10 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			pdiag_put_fanout(po, skb))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_MEMINFO) &&
+	    sock_diag_put_meminfo(sk, skb, PACKET_DIAG_MEMINFO))
+		goto out_nlmsg_trim;
+
 	return nlmsg_end(skb, nlh);
 
 out_nlmsg_trim:
-- 
1.8.2.1

[PATCH net-next v2 3/5] sock_diag: allow to dump bpf filters

[Nicolas Dichtel]

This patch allows to dump BPF filters attached to a socket with
SO_ATTACH_FILTER. In other words, users allowing to open netlink sockets can
see filters set on a socket (when the diag module of the socket family is
loaded).

For now, only AF_PACKET sockets use this feature.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/linux/sock_diag.h        |  2 ++
 include/uapi/linux/packet_diag.h |  2 ++
 net/core/sock_diag.c             | 27 +++++++++++++++++++++++++++
 net/packet/diag.c                |  4 ++++
 4 files changed, 35 insertions(+)

diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index e8d702e..3957c14 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -22,5 +22,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie);
 void sock_diag_save_cookie(void *sk, __u32 *cookie);
 
 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
+int sock_diag_put_filterinfo(struct sock *sk, struct sk_buff *skb,
+			     int attrtype);
 
 #endif
diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index c0802c1..b2cc0cd 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -17,6 +17,7 @@ struct packet_diag_req {
 #define PACKET_SHOW_RING_CFG	0x00000004 /* Rings configuration parameters */
 #define PACKET_SHOW_FANOUT	0x00000008
 #define PACKET_SHOW_MEMINFO	0x00000010
+#define PACKET_SHOW_FILTER	0x00000020
 
 struct packet_diag_msg {
 	__u8	pdiag_family;
@@ -35,6 +36,7 @@ enum {
 	PACKET_DIAG_FANOUT,
 	PACKET_DIAG_UID,
 	PACKET_DIAG_MEMINFO,
+	PACKET_DIAG_FILTER,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index a29e90c..51e75f4 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -49,6 +49,33 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype)
 }
 EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
 
+int sock_diag_put_filterinfo(struct sock *sk, struct sk_buff *skb, int attrtype)
+{
+	struct nlattr *attr;
+	struct sk_filter *filter;
+	unsigned int len;
+	int err = 0;
+
+	rcu_read_lock();
+
+	filter = rcu_dereference(sk->sk_filter);
+	len = filter ? filter->len * sizeof(struct sock_filter) : 0;
+
+	attr = nla_reserve(skb, attrtype, len);
+	if (attr == NULL) {
+		err = -EMSGSIZE;
+		goto out;
+	}
+
+	if (filter)
+		memcpy(nla_data(attr), filter->insns, len);
+
+out:
+	rcu_read_unlock();
+	return err;
+}
+EXPORT_SYMBOL(sock_diag_put_filterinfo);
+
 void sock_diag_register_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh))
 {
 	mutex_lock(&sock_diag_table_mutex);
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 822fe9b..ec8b6e8 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -170,6 +170,10 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 	    sock_diag_put_meminfo(sk, skb, PACKET_DIAG_MEMINFO))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
+	    sock_diag_put_filterinfo(sk, skb, PACKET_DIAG_FILTER))
+		goto out_nlmsg_trim;
+
 	return nlmsg_end(skb, nlh);
 
 out_nlmsg_trim:
-- 
1.8.2.1

[PATCH net-next v2 4/5] sock_diag: notify packet socket creation/deletion

[Nicolas Dichtel]

With this patch, a netlink message is sent each time a packet socket is created
or deleted.
The framework is generic, so it's easy to add the notification for other kind of
sockets.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/linux/sock_diag.h      |  4 ++++
 include/uapi/linux/sock_diag.h | 13 ++++++++++++-
 net/core/sock_diag.c           | 41 +++++++++++++++++++++++++++++++++++++++++
 net/packet/af_packet.c         |  4 ++++
 net/packet/diag.c              | 28 ++++++++++++++++++++++++----
 5 files changed, 85 insertions(+), 5 deletions(-)

diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index 3957c14..fc580ea 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -10,6 +10,7 @@ struct sock;
 struct sock_diag_handler {
 	__u8 family;
 	int (*dump)(struct sk_buff *skb, struct nlmsghdr *nlh);
+	int (*notify)(struct sk_buff *skb, struct sock *sk, bool create);
 };
 
 int sock_diag_register(const struct sock_diag_handler *h);
@@ -24,5 +25,8 @@ void sock_diag_save_cookie(void *sk, __u32 *cookie);
 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
 int sock_diag_put_filterinfo(struct sock *sk, struct sk_buff *skb,
 			     int attrtype);
+int __sock_diag_notify(struct sock *sk, bool create);
+#define sock_diag_notify(sk)		__sock_diag_notify(sk, true)
+#define sock_diag_notify_del(sk)	__sock_diag_notify(sk, false)
 
 #endif
diff --git a/include/uapi/linux/sock_diag.h b/include/uapi/linux/sock_diag.h
index b00e29e..9e9ffa0 100644
--- a/include/uapi/linux/sock_diag.h
+++ b/include/uapi/linux/sock_diag.h
@@ -3,7 +3,18 @@
 
 #include <linux/types.h>
 
-#define SOCK_DIAG_BY_FAMILY 20
+#define SOCK_DIAG_BY_FAMILY	20
+#define SOCK_DIAG_BY_FAMILY_DEL	21
+
+/* SOCK_DIAG multicast groups */
+enum nldiag_groups {
+	NLDIAGGRP_NONE,
+#define NLDIAGGRP_NONE		NLDIAGGRP_NONE
+	NLDIAGGRP_NOTIFY,
+#define NLDIAGGRP_NOTIFY	NLDIAGGRP_NOTIFY
+	__NLDIAGGRP_MAX
+};
+#define NLDIAGGRP_MAX	(__NLDIAGGRP_MAX - 1)
 
 struct sock_diag_req {
 	__u8	sdiag_family;
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 51e75f4..24f36c0 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -186,6 +186,47 @@ static void sock_diag_rcv(struct sk_buff *skb)
 	mutex_unlock(&sock_diag_mutex);
 }
 
+int __sock_diag_notify(struct sock *sk, bool create)
+{
+	const struct sock_diag_handler *hndl;
+	int err;
+
+	if (sock_diag_handlers[sk->sk_family] == NULL)
+		request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+				NETLINK_SOCK_DIAG, sk->sk_family);
+
+	mutex_lock(&sock_diag_table_mutex);
+	hndl = sock_diag_handlers[sk->sk_family];
+	if (hndl == NULL)
+		err = -ENOENT;
+	else if (hndl->notify == NULL)
+		err = -ENOSYS;
+	else {
+		struct net *net = sock_net(sk);
+		struct sock *nlsk = net->diag_nlsk;
+		struct sk_buff *skb;
+
+		skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
+		if (skb == NULL) {
+			err = -ENOBUFS;
+			goto out;
+		}
+
+		err = hndl->notify(skb, sk, create);
+		if (err) {
+			nlmsg_free(skb);
+			goto out;
+		}
+
+		err = nlmsg_notify(nlsk, skb, 0, NLDIAGGRP_NOTIFY, 0,
+				   GFP_KERNEL);
+	}
+out:
+	mutex_unlock(&sock_diag_table_mutex);
+
+	return err;
+}
+
 static int __net_init diag_net_init(struct net *net)
 {
 	struct netlink_kernel_cfg cfg = {
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 7e387ff..bb32d64 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -88,6 +88,7 @@
 #include <linux/virtio_net.h>
 #include <linux/errqueue.h>
 #include <linux/net_tstamp.h>
+#include <linux/sock_diag.h>
 
 #ifdef CONFIG_INET
 #include <net/inet_common.h>
@@ -2379,6 +2380,8 @@ static int packet_release(struct socket *sock)
 	if (!sk)
 		return 0;
 
+	sock_diag_notify_del(sk);
+
 	net = sock_net(sk);
 	po = pkt_sk(sk);
 
@@ -2597,6 +2600,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
 	sock_prot_inuse_add(net, &packet_proto, 1);
 	preempt_enable();
 
+	sock_diag_notify(sk);
 	return 0;
 out:
 	return err;
diff --git a/net/packet/diag.c b/net/packet/diag.c
index ec8b6e8..377a45b 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -128,13 +128,13 @@ static int pdiag_put_fanout(struct packet_sock *po, struct sk_buff *nlskb)
 static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			struct packet_diag_req *req,
 			struct user_namespace *user_ns,
-			u32 portid, u32 seq, u32 flags, int sk_ino)
+			u32 portid, u32 seq, u32 flags, int sk_ino, int cmd)
 {
 	struct nlmsghdr *nlh;
 	struct packet_diag_msg *rp;
 	struct packet_sock *po = pkt_sk(sk);
 
-	nlh = nlmsg_put(skb, portid, seq, SOCK_DIAG_BY_FAMILY, sizeof(*rp), flags);
+	nlh = nlmsg_put(skb, portid, seq, cmd, sizeof(*rp), flags);
 	if (!nlh)
 		return -EMSGSIZE;
 
@@ -149,7 +149,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			pdiag_put_info(po, skb))
 		goto out_nlmsg_trim;
 
-	if ((req->pdiag_show & PACKET_SHOW_INFO) &&
+	if ((req->pdiag_show & PACKET_SHOW_INFO) && user_ns &&
 	    nla_put_u32(skb, PACKET_DIAG_UID,
 			from_kuid_munged(user_ns, sock_i_uid(sk))))
 		goto out_nlmsg_trim;
@@ -202,7 +202,7 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
 				 sk_user_ns(NETLINK_CB(cb->skb).sk),
 				 NETLINK_CB(cb->skb).portid,
 				 cb->nlh->nlmsg_seq, NLM_F_MULTI,
-				 sock_i_ino(sk)) < 0)
+				 sock_i_ino(sk), SOCK_DIAG_BY_FAMILY) < 0)
 			goto done;
 next:
 		num++;
@@ -237,9 +237,29 @@ static int packet_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
 		return -EOPNOTSUPP;
 }
 
+static int packet_diag_handler_notify(struct sk_buff *skb, struct sock *sk,
+				      bool create)
+{
+	struct packet_diag_req req;
+	int err, cmd;
+
+	memset(&req, 0, sizeof(struct packet_diag_req));
+	if (create) {
+		req.pdiag_show |= PACKET_SHOW_INFO | PACKET_SHOW_MCLIST;
+		req.pdiag_show |= PACKET_SHOW_RING_CFG | PACKET_SHOW_FANOUT;
+		req.pdiag_show |= PACKET_SHOW_MEMINFO | PACKET_SHOW_FILTER;
+		cmd = SOCK_DIAG_BY_FAMILY;
+	} else
+		cmd = SOCK_DIAG_BY_FAMILY_DEL;
+
+	err = sk_diag_fill(sk, skb, &req, NULL, 0, 0, 0, sock_i_ino(sk), cmd);
+	return err > 0 ? 0 : err;
+}
+
 static const struct sock_diag_handler packet_diag_handler = {
 	.family = AF_PACKET,
 	.dump = packet_diag_handler_dump,
+	.notify = packet_diag_handler_notify,
 };
 
 static int __init packet_diag_init(void)
-- 
1.8.2.1

[PATCH net-next v2 5/5] sock_diag: notify when filter change

[Nicolas Dichtel]

Filter is advertised in packet diag messages, hence we may update the status
when a filter is updated.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 net/core/filter.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/core/filter.c b/net/core/filter.c
index dad2a17..021048a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -40,6 +40,7 @@
 #include <linux/ratelimit.h>
 #include <linux/seccomp.h>
 #include <linux/if_vlan.h>
+#include <linux/sock_diag.h>
 
 /* No hurry in this branch
  *
@@ -755,6 +756,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
 
 	if (old_fp)
 		sk_filter_uncharge(sk, old_fp);
+	sock_diag_notify(sk);
 	return 0;
 }
 EXPORT_SYMBOL_GPL(sk_attach_filter);
@@ -773,6 +775,7 @@ int sk_detach_filter(struct sock *sk)
 		RCU_INIT_POINTER(sk->sk_filter, NULL);
 		sk_filter_uncharge(sk, filter);
 		ret = 0;
+		sock_diag_notify(sk);
 	}
 	return ret;
 }
-- 
1.8.2.1

Re: [PATCH net-next v2 3/5] sock_diag: allow to dump bpf filters

[Eric Dumazet]

On Wed, 2013-04-24 at 17:52 +0200, Nicolas Dichtel wrote:
> This patch allows to dump BPF filters attached to a socket with
> SO_ATTACH_FILTER. In other words, users allowing to open netlink sockets can
> see filters set on a socket (when the diag module of the socket family is
> loaded).

To my knowledge, opening netlink sockets is not restricted.

I do not want user lambda being able to see my BPF filters.

I am root, and was assuming user lambda could not spy on me.

$ cat /proc/net/packet 
sk       RefCnt Type Proto  Iface R Rmem   User   Inode
0000000000000000 3      10   0003   3     1 0      0      1089989
0000000000000000 3      10   0003   2     1 0      0      1050535
0000000000000000 3      2    888e   3     1 0      0      1041970


With this information, it seems safe enough, but the whole BPF could
give interesting ideas to user lambda.

Re: [PATCH net-next v2 3/5] sock_diag: allow to dump bpf filters

[David Miller]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 24 Apr 2013 09:22:45 -0700

> On Wed, 2013-04-24 at 17:52 +0200, Nicolas Dichtel wrote:
>> This patch allows to dump BPF filters attached to a socket with
>> SO_ATTACH_FILTER. In other words, users allowing to open netlink sockets can
>> see filters set on a socket (when the diag module of the socket family is
>> loaded).
> 
> To my knowledge, opening netlink sockets is not restricted.
> 
> I do not want user lambda being able to see my BPF filters.

I agree, this change is not reasonable.  And therefore the notifiers
added in the subsequent patches of this series are not appropriate
either.

Re: [PATCH net-next v2 3/5] sock_diag: allow to dump bpf filters

[Nicolas Dichtel]

Le 24/04/2013 18:22, Eric Dumazet a écrit :
> On Wed, 2013-04-24 at 17:52 +0200, Nicolas Dichtel wrote:
>> This patch allows to dump BPF filters attached to a socket with
>> SO_ATTACH_FILTER. In other words, users allowing to open netlink sockets can
>> see filters set on a socket (when the diag module of the socket family is
>> loaded).
>
> To my knowledge, opening netlink sockets is not restricted.
>
> I do not want user lambda being able to see my BPF filters.
>
> I am root, and was assuming user lambda could not spy on me.
>
> $ cat /proc/net/packet
> sk       RefCnt Type Proto  Iface R Rmem   User   Inode
> 0000000000000000 3      10   0003   3     1 0      0      1089989
> 0000000000000000 3      10   0003   2     1 0      0      1050535
> 0000000000000000 3      2    888e   3     1 0      0      1041970
>
>
> With this information, it seems safe enough, but the whole BPF could
> give interesting ideas to user lambda.
I agree. But then you just have to avoid loading the module packet_diag. This 
module already give some clue to users, because it sends the socket pointer 
through netlink.
Maybe I'm wrong, but I was thinking that this module is used for debug purpose.
If the module is not loaded, my patch has no effect on the system.

Re: [PATCH net-next v2 3/5] sock_diag: allow to dump bpf filters

[David Miller]

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Thu, 25 Apr 2013 10:37:00 +0200

> Maybe I'm wrong, but I was thinking that this module is used for debug
> purpose.

No, it's a normal tool.

[PATCH net-next v3 0/4] sock_diag: monitor packet sockets

[Nicolas Dichtel]

The goal of this patchset is to be able to monitor packet sockets.
The two first patches add new attributes for packet_diag subsystem, so that all
information exported via the /proc/net/packet are also exported via netlink.
The third patch avoid to disclose socket pointer to all user. Via the /proc,
kptr_restrict is used.
The last patch allows allowed users to get details about filter attached to a
packet socket.

As usual, the patch against iproute2 will be sent once the patches are included
and net-next merged. I can send it on demand.

v2: add sock_diag_notify_del() to avoid confusion of the meaning of the second
    arg of __sock_diag_notify()
    enhance commitlog of patch 3/5

v3: drop previous 4/5 and 5/5 patches
    add patch 3/4 (sock_diag: do not disclose sock ptr to all users)
    disclose filters only to allowed users

 include/linux/sock_diag.h        |  5 ++++-
 include/uapi/linux/packet_diag.h |  5 +++++
 net/core/sock_diag.c             | 45 +++++++++++++++++++++++++++++++++++++---
 net/ipv4/inet_diag.c             | 13 +++++++-----
 net/netlink/diag.c               |  5 ++++-
 net/packet/diag.c                | 29 ++++++++++++++++++++------
 net/unix/diag.c                  | 14 ++++++++-----
 7 files changed, 95 insertions(+), 21 deletions(-)

Comments are welcome.

Regards,
Nicolas

[PATCH net-next v3 1/4] packet_diag: disclose uid value

[Nicolas Dichtel]

This value is disclosed via /proc/net/packet but not via netlink messages.
The goal is to have the same level of information.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/uapi/linux/packet_diag.h |  1 +
 net/packet/diag.c                | 19 ++++++++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index afafd70..84f83a4 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -32,6 +32,7 @@ enum {
 	PACKET_DIAG_RX_RING,
 	PACKET_DIAG_TX_RING,
 	PACKET_DIAG_FANOUT,
+	PACKET_DIAG_UID,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/packet/diag.c b/net/packet/diag.c
index d3fcd1e..04c8219 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -125,8 +125,10 @@ static int pdiag_put_fanout(struct packet_sock *po, struct sk_buff *nlskb)
 	return ret;
 }
 
-static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct packet_diag_req *req,
-		u32 portid, u32 seq, u32 flags, int sk_ino)
+static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
+			struct packet_diag_req *req,
+			struct user_namespace *user_ns,
+			u32 portid, u32 seq, u32 flags, int sk_ino)
 {
 	struct nlmsghdr *nlh;
 	struct packet_diag_msg *rp;
@@ -147,6 +149,11 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct packet_diag
 			pdiag_put_info(po, skb))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_INFO) &&
+	    nla_put_u32(skb, PACKET_DIAG_UID,
+			from_kuid_munged(user_ns, sock_i_uid(sk))))
+		goto out_nlmsg_trim;
+
 	if ((req->pdiag_show & PACKET_SHOW_MCLIST) &&
 			pdiag_put_mclist(po, skb))
 		goto out_nlmsg_trim;
@@ -183,9 +190,11 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
 		if (num < s_num)
 			goto next;
 
-		if (sk_diag_fill(sk, skb, req, NETLINK_CB(cb->skb).portid,
-					cb->nlh->nlmsg_seq, NLM_F_MULTI,
-					sock_i_ino(sk)) < 0)
+		if (sk_diag_fill(sk, skb, req,
+				 sk_user_ns(NETLINK_CB(cb->skb).sk),
+				 NETLINK_CB(cb->skb).portid,
+				 cb->nlh->nlmsg_seq, NLM_F_MULTI,
+				 sock_i_ino(sk)) < 0)
 			goto done;
 next:
 		num++;
-- 
1.8.2.1

[PATCH net-next v3 2/4] packet_diag: disclose meminfo values

[Nicolas Dichtel]

sk_rmem_alloc is disclosed via /proc/net/packet but not via netlink messages.
The goal is to have the same level of information.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/uapi/linux/packet_diag.h | 2 ++
 net/packet/diag.c                | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index 84f83a4..c0802c1 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -16,6 +16,7 @@ struct packet_diag_req {
 #define PACKET_SHOW_MCLIST	0x00000002 /* A set of packet_diag_mclist-s */
 #define PACKET_SHOW_RING_CFG	0x00000004 /* Rings configuration parameters */
 #define PACKET_SHOW_FANOUT	0x00000008
+#define PACKET_SHOW_MEMINFO	0x00000010
 
 struct packet_diag_msg {
 	__u8	pdiag_family;
@@ -33,6 +34,7 @@ enum {
 	PACKET_DIAG_TX_RING,
 	PACKET_DIAG_FANOUT,
 	PACKET_DIAG_UID,
+	PACKET_DIAG_MEMINFO,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 04c8219..822fe9b 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -166,6 +166,10 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			pdiag_put_fanout(po, skb))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_MEMINFO) &&
+	    sock_diag_put_meminfo(sk, skb, PACKET_DIAG_MEMINFO))
+		goto out_nlmsg_trim;
+
 	return nlmsg_end(skb, nlh);
 
 out_nlmsg_trim:
-- 
1.8.2.1

[PATCH net-next v3 3/4] sock_diag: do not disclose sock ptr to all users

[Nicolas Dichtel]

This is a sensible info, hence we restrict the user allowed to get it.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/linux/sock_diag.h |  3 ++-
 net/core/sock_diag.c      | 12 +++++++++---
 net/ipv4/inet_diag.c      | 13 ++++++++-----
 net/netlink/diag.c        |  5 ++++-
 net/packet/diag.c         |  2 +-
 net/unix/diag.c           | 14 +++++++++-----
 6 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index e8d702e..023174f 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -19,7 +19,8 @@ void sock_diag_register_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsgh
 void sock_diag_unregister_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh));
 
 int sock_diag_check_cookie(void *sk, __u32 *cookie);
-void sock_diag_save_cookie(void *sk, __u32 *cookie);
+void sock_diag_save_cookie(struct user_namespace *user_ns, void *sk,
+			   __u32 *cookie);
 
 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
 
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index a29e90c..5adf531 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -25,10 +25,16 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie)
 }
 EXPORT_SYMBOL_GPL(sock_diag_check_cookie);
 
-void sock_diag_save_cookie(void *sk, __u32 *cookie)
+void sock_diag_save_cookie(struct user_namespace *user_ns, void *sk,
+			   __u32 *cookie)
 {
-	cookie[0] = (u32)(unsigned long)sk;
-	cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
+	if (ns_capable(user_ns, CAP_NET_ADMIN)) {
+		cookie[0] = (u32)(unsigned long)sk;
+		cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
+	} else {
+		cookie[0] = 0;
+		cookie[1] = 0;
+	}
 }
 EXPORT_SYMBOL_GPL(sock_diag_save_cookie);
 
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 5f64875..e6607e0 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -18,6 +18,7 @@
 #include <linux/cache.h>
 #include <linux/init.h>
 #include <linux/time.h>
+#include <linux/user_namespace.h>
 
 #include <net/icmp.h>
 #include <net/tcp.h>
@@ -102,7 +103,7 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
 	r->idiag_retrans = 0;
 
 	r->id.idiag_if = sk->sk_bound_dev_if;
-	sock_diag_save_cookie(sk, r->id.idiag_cookie);
+	sock_diag_save_cookie(user_ns, sk, r->id.idiag_cookie);
 
 	r->id.idiag_sport = inet->inet_sport;
 	r->id.idiag_dport = inet->inet_dport;
@@ -219,6 +220,7 @@ static int inet_csk_diag_fill(struct sock *sk,
 
 static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
 			       struct sk_buff *skb, struct inet_diag_req_v2 *req,
+			       struct user_namespace *user_ns,
 			       u32 portid, u32 seq, u16 nlmsg_flags,
 			       const struct nlmsghdr *unlh)
 {
@@ -241,7 +243,7 @@ static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
 	r->idiag_family	      = tw->tw_family;
 	r->idiag_retrans      = 0;
 	r->id.idiag_if	      = tw->tw_bound_dev_if;
-	sock_diag_save_cookie(tw, r->id.idiag_cookie);
+	sock_diag_save_cookie(user_ns, tw, r->id.idiag_cookie);
 	r->id.idiag_sport     = tw->tw_sport;
 	r->id.idiag_dport     = tw->tw_dport;
 	r->id.idiag_src[0]    = tw->tw_rcv_saddr;
@@ -274,8 +276,8 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 {
 	if (sk->sk_state == TCP_TIME_WAIT)
 		return inet_twsk_diag_fill((struct inet_timewait_sock *)sk,
-					   skb, r, portid, seq, nlmsg_flags,
-					   unlh);
+					   skb, r, user_ns, portid, seq,
+					   nlmsg_flags, unlh);
 	return inet_csk_diag_fill(sk, skb, r, user_ns, portid, seq, nlmsg_flags, unlh);
 }
 
@@ -666,6 +668,7 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw,
 	}
 
 	return inet_twsk_diag_fill(tw, skb, r,
+				   sk_user_ns(NETLINK_CB(cb->skb).sk),
 				   NETLINK_CB(cb->skb).portid,
 				   cb->nlh->nlmsg_seq, NLM_F_MULTI, cb->nlh);
 }
@@ -724,7 +727,7 @@ static int inet_diag_fill_req(struct sk_buff *skb, struct sock *sk,
 	r->idiag_retrans = req->num_retrans;
 
 	r->id.idiag_if = sk->sk_bound_dev_if;
-	sock_diag_save_cookie(req, r->id.idiag_cookie);
+	sock_diag_save_cookie(user_ns, req, r->id.idiag_cookie);
 
 	tmo = req->expires - jiffies;
 	if (tmo < 0)
diff --git a/net/netlink/diag.c b/net/netlink/diag.c
index 1af2962..57d7636 100644
--- a/net/netlink/diag.c
+++ b/net/netlink/diag.c
@@ -55,6 +55,7 @@ static int sk_diag_dump_groups(struct sock *sk, struct sk_buff *nlskb)
 
 static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			struct netlink_diag_req *req,
+			struct user_namespace *user_ns,
 			u32 portid, u32 seq, u32 flags, int sk_ino)
 {
 	struct nlmsghdr *nlh;
@@ -76,7 +77,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 	rep->ndiag_portid	= nlk->portid;
 	rep->ndiag_dst_portid	= nlk->dst_portid;
 	rep->ndiag_dst_group	= nlk->dst_group;
-	sock_diag_save_cookie(sk, rep->ndiag_cookie);
+	sock_diag_save_cookie(user_ns, sk, rep->ndiag_cookie);
 
 	if ((req->ndiag_show & NDIAG_SHOW_GROUPS) &&
 	    sk_diag_dump_groups(sk, skb))
@@ -119,6 +120,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
 			}
 
 			if (sk_diag_fill(sk, skb, req,
+					 sk_user_ns(NETLINK_CB(cb->skb).sk),
 					 NETLINK_CB(cb->skb).portid,
 					 cb->nlh->nlmsg_seq,
 					 NLM_F_MULTI,
@@ -142,6 +144,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
 		}
 
 		if (sk_diag_fill(sk, skb, req,
+				 sk_user_ns(NETLINK_CB(cb->skb).sk),
 				 NETLINK_CB(cb->skb).portid,
 				 cb->nlh->nlmsg_seq,
 				 NLM_F_MULTI,
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 822fe9b..7af2ae0 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -143,7 +143,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 	rp->pdiag_type = sk->sk_type;
 	rp->pdiag_num = ntohs(po->num);
 	rp->pdiag_ino = sk_ino;
-	sock_diag_save_cookie(sk, rp->pdiag_cookie);
+	sock_diag_save_cookie(user_ns, sk, rp->pdiag_cookie);
 
 	if ((req->pdiag_show & PACKET_SHOW_INFO) &&
 			pdiag_put_info(po, skb))
diff --git a/net/unix/diag.c b/net/unix/diag.c
index d591091..1637dfd 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -1,5 +1,6 @@
 #include <linux/types.h>
 #include <linux/spinlock.h>
+#include <linux/user_namespace.h>
 #include <linux/sock_diag.h>
 #include <linux/unix_diag.h>
 #include <linux/skbuff.h>
@@ -110,7 +111,8 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb)
 }
 
 static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req,
-		u32 portid, u32 seq, u32 flags, int sk_ino)
+			struct user_namespace *user_ns,
+			u32 portid, u32 seq, u32 flags, int sk_ino)
 {
 	struct nlmsghdr *nlh;
 	struct unix_diag_msg *rep;
@@ -125,7 +127,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r
 	rep->udiag_type = sk->sk_type;
 	rep->udiag_state = sk->sk_state;
 	rep->udiag_ino = sk_ino;
-	sock_diag_save_cookie(sk, rep->udiag_cookie);
+	sock_diag_save_cookie(user_ns, sk, rep->udiag_cookie);
 
 	if ((req->udiag_show & UDIAG_SHOW_NAME) &&
 	    sk_diag_dump_name(sk, skb))
@@ -162,7 +164,7 @@ out_nlmsg_trim:
 }
 
 static int sk_diag_dump(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req,
-		u32 portid, u32 seq, u32 flags)
+			struct user_namespace *user_ns, u32 portid, u32 seq, u32 flags)
 {
 	int sk_ino;
 
@@ -173,7 +175,7 @@ static int sk_diag_dump(struct sock *sk, struct sk_buff *skb, struct unix_diag_r
 	if (!sk_ino)
 		return 0;
 
-	return sk_diag_fill(sk, skb, req, portid, seq, flags, sk_ino);
+	return sk_diag_fill(sk, skb, req, user_ns, portid, seq, flags, sk_ino);
 }
 
 static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
@@ -202,6 +204,7 @@ static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
 			if (!(req->udiag_states & (1 << sk->sk_state)))
 				goto next;
 			if (sk_diag_dump(sk, skb, req,
+					 sk_user_ns(NETLINK_CB(cb->skb).sk),
 					 NETLINK_CB(cb->skb).portid,
 					 cb->nlh->nlmsg_seq,
 					 NLM_F_MULTI) < 0)
@@ -267,7 +270,8 @@ again:
 	if (!rep)
 		goto out;
 
-	err = sk_diag_fill(sk, rep, req, NETLINK_CB(in_skb).portid,
+	err = sk_diag_fill(sk, rep, req, sk_user_ns(NETLINK_CB(in_skb).sk),
+			   NETLINK_CB(in_skb).portid,
 			   nlh->nlmsg_seq, 0, req->udiag_ino);
 	if (err < 0) {
 		nlmsg_free(rep);
-- 
1.8.2.1

[PATCH net-next v3 4/4] sock_diag: allow to dump bpf filters

[Nicolas Dichtel]

This patch allows to dump BPF filters attached to a socket with
SO_ATTACH_FILTER.
Note that we check CAP_SYS_ADMIN before allowing to dump this info.

For now, only AF_PACKET sockets use this feature.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/linux/sock_diag.h        |  2 ++
 include/uapi/linux/packet_diag.h |  2 ++
 net/core/sock_diag.c             | 33 +++++++++++++++++++++++++++++++++
 net/packet/diag.c                |  4 ++++
 4 files changed, 41 insertions(+)

diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index 023174f..ef895e2 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -23,5 +23,7 @@ void sock_diag_save_cookie(struct user_namespace *user_ns, void *sk,
 			   __u32 *cookie);
 
 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
+int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
+			     struct sk_buff *skb, int attrtype);
 
 #endif
diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index c0802c1..b2cc0cd 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -17,6 +17,7 @@ struct packet_diag_req {
 #define PACKET_SHOW_RING_CFG	0x00000004 /* Rings configuration parameters */
 #define PACKET_SHOW_FANOUT	0x00000008
 #define PACKET_SHOW_MEMINFO	0x00000010
+#define PACKET_SHOW_FILTER	0x00000020
 
 struct packet_diag_msg {
 	__u8	pdiag_family;
@@ -35,6 +36,7 @@ enum {
 	PACKET_DIAG_FANOUT,
 	PACKET_DIAG_UID,
 	PACKET_DIAG_MEMINFO,
+	PACKET_DIAG_FILTER,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 5adf531..e0b93c4 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -55,6 +55,39 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype)
 }
 EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
 
+int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
+			     struct sk_buff *skb, int attrtype)
+{
+	struct nlattr *attr;
+	struct sk_filter *filter;
+	unsigned int len;
+	int err = 0;
+
+	if (!ns_capable(user_ns, CAP_NET_ADMIN)) {
+		nla_reserve(skb, attrtype, 0);
+		return 0;
+	}
+
+	rcu_read_lock();
+
+	filter = rcu_dereference(sk->sk_filter);
+	len = filter ? filter->len * sizeof(struct sock_filter) : 0;
+
+	attr = nla_reserve(skb, attrtype, len);
+	if (attr == NULL) {
+		err = -EMSGSIZE;
+		goto out;
+	}
+
+	if (filter)
+		memcpy(nla_data(attr), filter->insns, len);
+
+out:
+	rcu_read_unlock();
+	return err;
+}
+EXPORT_SYMBOL(sock_diag_put_filterinfo);
+
 void sock_diag_register_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh))
 {
 	mutex_lock(&sock_diag_table_mutex);
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 7af2ae0..cd90df7 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -170,6 +170,10 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 	    sock_diag_put_meminfo(sk, skb, PACKET_DIAG_MEMINFO))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
+	    sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER))
+		goto out_nlmsg_trim;
+
 	return nlmsg_end(skb, nlh);
 
 out_nlmsg_trim:
-- 
1.8.2.1

Re: [PATCH net-next v2 3/5] sock_diag: allow to dump bpf filters

[Eric Dumazet]

On Thu, 2013-04-25 at 10:37 +0200, Nicolas Dichtel wrote:
> I agree. But then you just have to avoid loading the module packet_diag. This 
> module already give some clue to users, because it sends the socket pointer 
> through netlink.

You probably missed a lot of discussion about this socket pointer being
leaked. Supposedly security guys wanted to remove this at one point.

Thats why we should make sure to add yet another security issue.

Re: [PATCH net-next v3 3/4] sock_diag: do not disclose sock ptr to all users

[Eric Dumazet]

On Thu, 2013-04-25 at 15:21 +0200, Nicolas Dichtel wrote:
> This is a sensible info, hence we restrict the user allowed to get it.
> 
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> ---
>  include/linux/sock_diag.h |  3 ++-
>  net/core/sock_diag.c      | 12 +++++++++---
>  net/ipv4/inet_diag.c      | 13 ++++++++-----
>  net/netlink/diag.c        |  5 ++++-
>  net/packet/diag.c         |  2 +-
>  net/unix/diag.c           | 14 +++++++++-----
>  6 files changed, 33 insertions(+), 16 deletions(-)

Nack. This was already discussed in the past.

Some people don't want to dump whole table, but use cookie to dump a
particular socket.

Re: [PATCH net-next v3 3/4] sock_diag: do not disclose sock ptr to all users

[Eric Dumazet]

On Thu, 2013-04-25 at 08:32 -0700, Eric Dumazet wrote:

> Nack. This was already discussed in the past.
> 
> Some people don't want to dump whole table, but use cookie to dump a
> particular socket.

For more details :

git grep -n sock_diag_check_cookie
include/linux/sock_diag.h:21:int sock_diag_check_cookie(void *sk, __u32 *cookie);
net/core/sock_diag.c:16:int sock_diag_check_cookie(void *sk, __u32 *cookie)
net/core/sock_diag.c:26:EXPORT_SYMBOL_GPL(sock_diag_check_cookie);
net/ipv4/inet_diag.c:312:       err = sock_diag_check_cookie(sk, req->id.idiag_cookie);
net/ipv4/udp_diag.c:62: err = sock_diag_check_cookie(sk, req->id.idiag_cookie);
net/unix/diag.c:259:    err = sock_diag_check_cookie(sk, req->udiag_cookie);

Re: [PATCH net-next v3 3/4] sock_diag: do not disclose sock ptr to all users

[Nicolas Dichtel]

Le 25/04/2013 17:36, Eric Dumazet a écrit :
> On Thu, 2013-04-25 at 08:32 -0700, Eric Dumazet wrote:
>
>> Nack. This was already discussed in the past.
>>
>> Some people don't want to dump whole table, but use cookie to dump a
>> particular socket.
>
> For more details :
>
> git grep -n sock_diag_check_cookie
> include/linux/sock_diag.h:21:int sock_diag_check_cookie(void *sk, __u32 *cookie);
> net/core/sock_diag.c:16:int sock_diag_check_cookie(void *sk, __u32 *cookie)
> net/core/sock_diag.c:26:EXPORT_SYMBOL_GPL(sock_diag_check_cookie);
> net/ipv4/inet_diag.c:312:       err = sock_diag_check_cookie(sk, req->id.idiag_cookie);
> net/ipv4/udp_diag.c:62: err = sock_diag_check_cookie(sk, req->id.idiag_cookie);
> net/unix/diag.c:259:    err = sock_diag_check_cookie(sk, req->udiag_cookie);
I definitely miss the thread about this topic, I will try to find it.

[PATCH net-next v4 0/3] packet_diag: enhance advertised infos

[Nicolas Dichtel]

The goal of this patchset is to be able to get all infos exported via the
/proc/net/packet and also beeing able to get filter associated to af_packet
sockets.

As usual, the patch against iproute2 will be sent once the patches are included
and net-next merged. I can send it on demand.

v2: add sock_diag_notify_del() to avoid confusion of the meaning of the second
    arg of __sock_diag_notify()
    enhance commitlog of patch 3/5

v3: drop previous 4/5 and 5/5 patches
    add patch 3/4 (sock_diag: do not disclose sock ptr to all users)
    disclose filters only to allowed users

v4: drop patch 3/4 (sock_diag: do not disclose sock ptr to all user)

 include/linux/sock_diag.h        |  3 +++
 include/uapi/linux/packet_diag.h |  5 +++++
 net/core/sock_diag.c             | 33 +++++++++++++++++++++++++++++++++
 net/packet/diag.c                | 27 ++++++++++++++++++++++-----
 4 files changed, 63 insertions(+), 5 deletions(-)

Comments are welcome.

Regards,
Nicolas

[PATCH net-next v4 1/3] packet_diag: disclose uid value

[Nicolas Dichtel]

This value is disclosed via /proc/net/packet but not via netlink messages.
The goal is to have the same level of information.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/uapi/linux/packet_diag.h |  1 +
 net/packet/diag.c                | 19 ++++++++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index afafd70..84f83a4 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -32,6 +32,7 @@ enum {
 	PACKET_DIAG_RX_RING,
 	PACKET_DIAG_TX_RING,
 	PACKET_DIAG_FANOUT,
+	PACKET_DIAG_UID,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/packet/diag.c b/net/packet/diag.c
index d3fcd1e..04c8219 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -125,8 +125,10 @@ static int pdiag_put_fanout(struct packet_sock *po, struct sk_buff *nlskb)
 	return ret;
 }
 
-static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct packet_diag_req *req,
-		u32 portid, u32 seq, u32 flags, int sk_ino)
+static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
+			struct packet_diag_req *req,
+			struct user_namespace *user_ns,
+			u32 portid, u32 seq, u32 flags, int sk_ino)
 {
 	struct nlmsghdr *nlh;
 	struct packet_diag_msg *rp;
@@ -147,6 +149,11 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct packet_diag
 			pdiag_put_info(po, skb))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_INFO) &&
+	    nla_put_u32(skb, PACKET_DIAG_UID,
+			from_kuid_munged(user_ns, sock_i_uid(sk))))
+		goto out_nlmsg_trim;
+
 	if ((req->pdiag_show & PACKET_SHOW_MCLIST) &&
 			pdiag_put_mclist(po, skb))
 		goto out_nlmsg_trim;
@@ -183,9 +190,11 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
 		if (num < s_num)
 			goto next;
 
-		if (sk_diag_fill(sk, skb, req, NETLINK_CB(cb->skb).portid,
-					cb->nlh->nlmsg_seq, NLM_F_MULTI,
-					sock_i_ino(sk)) < 0)
+		if (sk_diag_fill(sk, skb, req,
+				 sk_user_ns(NETLINK_CB(cb->skb).sk),
+				 NETLINK_CB(cb->skb).portid,
+				 cb->nlh->nlmsg_seq, NLM_F_MULTI,
+				 sock_i_ino(sk)) < 0)
 			goto done;
 next:
 		num++;
-- 
1.8.2.1

[PATCH net-next v4 2/3] packet_diag: disclose meminfo values

[Nicolas Dichtel]

sk_rmem_alloc is disclosed via /proc/net/packet but not via netlink messages.
The goal is to have the same level of information.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/uapi/linux/packet_diag.h | 2 ++
 net/packet/diag.c                | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index 84f83a4..c0802c1 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -16,6 +16,7 @@ struct packet_diag_req {
 #define PACKET_SHOW_MCLIST	0x00000002 /* A set of packet_diag_mclist-s */
 #define PACKET_SHOW_RING_CFG	0x00000004 /* Rings configuration parameters */
 #define PACKET_SHOW_FANOUT	0x00000008
+#define PACKET_SHOW_MEMINFO	0x00000010
 
 struct packet_diag_msg {
 	__u8	pdiag_family;
@@ -33,6 +34,7 @@ enum {
 	PACKET_DIAG_TX_RING,
 	PACKET_DIAG_FANOUT,
 	PACKET_DIAG_UID,
+	PACKET_DIAG_MEMINFO,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 04c8219..822fe9b 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -166,6 +166,10 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			pdiag_put_fanout(po, skb))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_MEMINFO) &&
+	    sock_diag_put_meminfo(sk, skb, PACKET_DIAG_MEMINFO))
+		goto out_nlmsg_trim;
+
 	return nlmsg_end(skb, nlh);
 
 out_nlmsg_trim:
-- 
1.8.2.1

[PATCH net-next v4 3/3] sock_diag: allow to dump bpf filters

[Nicolas Dichtel]

This patch allows to dump BPF filters attached to a socket with
SO_ATTACH_FILTER.
Note that we check CAP_SYS_ADMIN before allowing to dump this info.

For now, only AF_PACKET sockets use this feature.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 include/linux/sock_diag.h        |  3 +++
 include/uapi/linux/packet_diag.h |  2 ++
 net/core/sock_diag.c             | 33 +++++++++++++++++++++++++++++++++
 net/packet/diag.c                |  4 ++++
 4 files changed, 42 insertions(+)

diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index e8d702e..54f91d3 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -1,6 +1,7 @@
 #ifndef __SOCK_DIAG_H__
 #define __SOCK_DIAG_H__
 
+#include <linux/user_namespace.h>
 #include <uapi/linux/sock_diag.h>
 
 struct sk_buff;
@@ -22,5 +23,7 @@ int sock_diag_check_cookie(void *sk, __u32 *cookie);
 void sock_diag_save_cookie(void *sk, __u32 *cookie);
 
 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
+int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
+			     struct sk_buff *skb, int attrtype);
 
 #endif
diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index c0802c1..b2cc0cd 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -17,6 +17,7 @@ struct packet_diag_req {
 #define PACKET_SHOW_RING_CFG	0x00000004 /* Rings configuration parameters */
 #define PACKET_SHOW_FANOUT	0x00000008
 #define PACKET_SHOW_MEMINFO	0x00000010
+#define PACKET_SHOW_FILTER	0x00000020
 
 struct packet_diag_msg {
 	__u8	pdiag_family;
@@ -35,6 +36,7 @@ enum {
 	PACKET_DIAG_FANOUT,
 	PACKET_DIAG_UID,
 	PACKET_DIAG_MEMINFO,
+	PACKET_DIAG_FILTER,
 
 	__PACKET_DIAG_MAX,
 };
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index a29e90c..d5bef0b0 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -49,6 +49,39 @@ int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype)
 }
 EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
 
+int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
+			     struct sk_buff *skb, int attrtype)
+{
+	struct nlattr *attr;
+	struct sk_filter *filter;
+	unsigned int len;
+	int err = 0;
+
+	if (!ns_capable(user_ns, CAP_NET_ADMIN)) {
+		nla_reserve(skb, attrtype, 0);
+		return 0;
+	}
+
+	rcu_read_lock();
+
+	filter = rcu_dereference(sk->sk_filter);
+	len = filter ? filter->len * sizeof(struct sock_filter) : 0;
+
+	attr = nla_reserve(skb, attrtype, len);
+	if (attr == NULL) {
+		err = -EMSGSIZE;
+		goto out;
+	}
+
+	if (filter)
+		memcpy(nla_data(attr), filter->insns, len);
+
+out:
+	rcu_read_unlock();
+	return err;
+}
+EXPORT_SYMBOL(sock_diag_put_filterinfo);
+
 void sock_diag_register_inet_compat(int (*fn)(struct sk_buff *skb, struct nlmsghdr *nlh))
 {
 	mutex_lock(&sock_diag_table_mutex);
diff --git a/net/packet/diag.c b/net/packet/diag.c
index 822fe9b..a9584a2 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -170,6 +170,10 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 	    sock_diag_put_meminfo(sk, skb, PACKET_DIAG_MEMINFO))
 		goto out_nlmsg_trim;
 
+	if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
+	    sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER))
+		goto out_nlmsg_trim;
+
 	return nlmsg_end(skb, nlh);
 
 out_nlmsg_trim:
-- 
1.8.2.1

Re: [PATCH net-next v3 3/4] sock_diag: do not disclose sock ptr to all users

[Eric Dumazet]

On Thu, 2013-04-25 at 18:45 +0200, Nicolas Dichtel wrote:

> I definitely miss the thread about this topic, I will try to find it.

If you think about it, what can possibly the issues ?

Generating a true unique cookie will add a contention point in socket
creation/deletion. [ using an atomic64_t , or idr ]

One possibility was to XOR using a private random (chosen at boot time)
value, but this might be not enough for security guys.

At that time, I decided I was not spending time on this issue.

If you want to do it, make sure you don't respin old stuff and don't
remove existing functionality. Our review time is limited.

Thanks

Re: [PATCH net-next v4 0/3] packet_diag: enhance advertised infos

[David Miller]

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Thu, 25 Apr 2013 18:53:51 +0200

> The goal of this patchset is to be able to get all infos exported via the
> /proc/net/packet and also beeing able to get filter associated to af_packet
> sockets.
> 
> As usual, the patch against iproute2 will be sent once the patches are included
> and net-next merged. I can send it on demand.

Series applied, thanks Nicolas.

[PATCH net-next v3] sock_diag: notify packet socket creation/deletion

[Nicolas Dichtel]

With this patch, a netlink message is sent each time a packet socket is created
or deleted.
The framework is generic, so it's easy to add the notification for other kind of
sockets.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---

This patch was sent the first time in a serie of 5 patches, but was not
included with the last version of this serie. Hence, I resend it as v3,
after a rebase on net-next.

I'm not sure if this patch was acceptable or not (from a security point of
view). Note that BPF filters and uid are not put in the messsage, because
user_ns is unknown.

v3: rebase it on net-next
    export the symbol __sock_diag_notify (af_packet can be compiled as a
    module)

v2: add sock_diag_notify_del() to avoid confusion of the meaning of the second
    arg of __sock_diag_notify()

 include/linux/sock_diag.h      |  4 ++++
 include/uapi/linux/sock_diag.h | 13 ++++++++++++-
 net/core/sock_diag.c           | 42 ++++++++++++++++++++++++++++++++++++++++++
 net/packet/af_packet.c         |  4 ++++
 net/packet/diag.c              | 30 +++++++++++++++++++++++++-----
 5 files changed, 87 insertions(+), 6 deletions(-)

diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
index 54f91d3..86cd4f4 100644
--- a/include/linux/sock_diag.h
+++ b/include/linux/sock_diag.h
@@ -11,6 +11,7 @@ struct sock;
 struct sock_diag_handler {
 	__u8 family;
 	int (*dump)(struct sk_buff *skb, struct nlmsghdr *nlh);
+	int (*notify)(struct sk_buff *skb, struct sock *sk, bool create);
 };
 
 int sock_diag_register(const struct sock_diag_handler *h);
@@ -25,5 +26,8 @@ void sock_diag_save_cookie(void *sk, __u32 *cookie);
 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attr);
 int sock_diag_put_filterinfo(struct user_namespace *user_ns, struct sock *sk,
 			     struct sk_buff *skb, int attrtype);
+int __sock_diag_notify(struct sock *sk, bool create);
+#define sock_diag_notify(sk)		__sock_diag_notify(sk, true)
+#define sock_diag_notify_del(sk)	__sock_diag_notify(sk, false)
 
 #endif
diff --git a/include/uapi/linux/sock_diag.h b/include/uapi/linux/sock_diag.h
index b00e29e..9e9ffa0 100644
--- a/include/uapi/linux/sock_diag.h
+++ b/include/uapi/linux/sock_diag.h
@@ -3,7 +3,18 @@
 
 #include <linux/types.h>
 
-#define SOCK_DIAG_BY_FAMILY 20
+#define SOCK_DIAG_BY_FAMILY	20
+#define SOCK_DIAG_BY_FAMILY_DEL	21
+
+/* SOCK_DIAG multicast groups */
+enum nldiag_groups {
+	NLDIAGGRP_NONE,
+#define NLDIAGGRP_NONE		NLDIAGGRP_NONE
+	NLDIAGGRP_NOTIFY,
+#define NLDIAGGRP_NOTIFY	NLDIAGGRP_NOTIFY
+	__NLDIAGGRP_MAX
+};
+#define NLDIAGGRP_MAX	(__NLDIAGGRP_MAX - 1)
 
 struct sock_diag_req {
 	__u8	sdiag_family;
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index d5bef0b0..7cc81a8 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -192,6 +192,48 @@ static void sock_diag_rcv(struct sk_buff *skb)
 	mutex_unlock(&sock_diag_mutex);
 }
 
+int __sock_diag_notify(struct sock *sk, bool create)
+{
+	const struct sock_diag_handler *hndl;
+	int err;
+
+	if (sock_diag_handlers[sk->sk_family] == NULL)
+		request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+				NETLINK_SOCK_DIAG, sk->sk_family);
+
+	mutex_lock(&sock_diag_table_mutex);
+	hndl = sock_diag_handlers[sk->sk_family];
+	if (hndl == NULL)
+		err = -ENOENT;
+	else if (hndl->notify == NULL)
+		err = -ENOSYS;
+	else {
+		struct net *net = sock_net(sk);
+		struct sock *nlsk = net->diag_nlsk;
+		struct sk_buff *skb;
+
+		skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
+		if (skb == NULL) {
+			err = -ENOBUFS;
+			goto out;
+		}
+
+		err = hndl->notify(skb, sk, create);
+		if (err) {
+			nlmsg_free(skb);
+			goto out;
+		}
+
+		err = nlmsg_notify(nlsk, skb, 0, NLDIAGGRP_NOTIFY, 0,
+				   GFP_KERNEL);
+	}
+out:
+	mutex_unlock(&sock_diag_table_mutex);
+
+	return err;
+}
+EXPORT_SYMBOL(__sock_diag_notify);
+
 static int __net_init diag_net_init(struct net *net)
 {
 	struct netlink_kernel_cfg cfg = {
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 8ec1bca..4940a85 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -88,6 +88,7 @@
 #include <linux/virtio_net.h>
 #include <linux/errqueue.h>
 #include <linux/net_tstamp.h>
+#include <linux/sock_diag.h>
 
 #ifdef CONFIG_INET
 #include <net/inet_common.h>
@@ -2415,6 +2416,8 @@ static int packet_release(struct socket *sock)
 	if (!sk)
 		return 0;
 
+	sock_diag_notify_del(sk);
+
 	net = sock_net(sk);
 	po = pkt_sk(sk);
 
@@ -2633,6 +2636,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
 	sock_prot_inuse_add(net, &packet_proto, 1);
 	preempt_enable();
 
+	sock_diag_notify(sk);
 	return 0;
 out:
 	return err;
diff --git a/net/packet/diag.c b/net/packet/diag.c
index a9584a2..74671db 100644
--- a/net/packet/diag.c
+++ b/net/packet/diag.c
@@ -128,13 +128,13 @@ static int pdiag_put_fanout(struct packet_sock *po, struct sk_buff *nlskb)
 static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			struct packet_diag_req *req,
 			struct user_namespace *user_ns,
-			u32 portid, u32 seq, u32 flags, int sk_ino)
+			u32 portid, u32 seq, u32 flags, int sk_ino, int cmd)
 {
 	struct nlmsghdr *nlh;
 	struct packet_diag_msg *rp;
 	struct packet_sock *po = pkt_sk(sk);
 
-	nlh = nlmsg_put(skb, portid, seq, SOCK_DIAG_BY_FAMILY, sizeof(*rp), flags);
+	nlh = nlmsg_put(skb, portid, seq, cmd, sizeof(*rp), flags);
 	if (!nlh)
 		return -EMSGSIZE;
 
@@ -149,7 +149,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 			pdiag_put_info(po, skb))
 		goto out_nlmsg_trim;
 
-	if ((req->pdiag_show & PACKET_SHOW_INFO) &&
+	if ((req->pdiag_show & PACKET_SHOW_INFO) && user_ns &&
 	    nla_put_u32(skb, PACKET_DIAG_UID,
 			from_kuid_munged(user_ns, sock_i_uid(sk))))
 		goto out_nlmsg_trim;
@@ -170,7 +170,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 	    sock_diag_put_meminfo(sk, skb, PACKET_DIAG_MEMINFO))
 		goto out_nlmsg_trim;
 
-	if ((req->pdiag_show & PACKET_SHOW_FILTER) &&
+	if ((req->pdiag_show & PACKET_SHOW_FILTER) && user_ns &&
 	    sock_diag_put_filterinfo(user_ns, sk, skb, PACKET_DIAG_FILTER))
 		goto out_nlmsg_trim;
 
@@ -202,7 +202,7 @@ static int packet_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
 				 sk_user_ns(NETLINK_CB(cb->skb).sk),
 				 NETLINK_CB(cb->skb).portid,
 				 cb->nlh->nlmsg_seq, NLM_F_MULTI,
-				 sock_i_ino(sk)) < 0)
+				 sock_i_ino(sk), SOCK_DIAG_BY_FAMILY) < 0)
 			goto done;
 next:
 		num++;
@@ -237,9 +237,29 @@ static int packet_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
 		return -EOPNOTSUPP;
 }
 
+static int packet_diag_handler_notify(struct sk_buff *skb, struct sock *sk,
+				      bool create)
+{
+	struct packet_diag_req req;
+	int err, cmd;
+
+	memset(&req, 0, sizeof(struct packet_diag_req));
+	if (create) {
+		req.pdiag_show |= PACKET_SHOW_INFO | PACKET_SHOW_MCLIST;
+		req.pdiag_show |= PACKET_SHOW_RING_CFG | PACKET_SHOW_FANOUT;
+		req.pdiag_show |= PACKET_SHOW_MEMINFO | PACKET_SHOW_FILTER;
+		cmd = SOCK_DIAG_BY_FAMILY;
+	} else
+		cmd = SOCK_DIAG_BY_FAMILY_DEL;
+
+	err = sk_diag_fill(sk, skb, &req, NULL, 0, 0, 0, sock_i_ino(sk), cmd);
+	return err > 0 ? 0 : err;
+}
+
 static const struct sock_diag_handler packet_diag_handler = {
 	.family = AF_PACKET,
 	.dump = packet_diag_handler_dump,
+	.notify = packet_diag_handler_notify,
 };
 
 static int __init packet_diag_init(void)
-- 
1.8.2.1

Re: [PATCH net-next v3] sock_diag: notify packet socket creation/deletion

[David Miller]

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Fri, 17 May 2013 16:25:38 +0200

> With this patch, a netlink message is sent each time a packet socket
> is created or deleted.  The framework is generic, so it's easy to
> add the notification for other kind of sockets.
>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

Just curious what you want to use this for.

Re: [PATCH net-next v3] sock_diag: notify packet socket creation/deletion

[Nicolas Dichtel]

Le 20/05/2013 08:29, David Miller a écrit :
> From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> Date: Fri, 17 May 2013 16:25:38 +0200
>
>> With this patch, a netlink message is sent each time a packet socket
>> is created or deleted.  The framework is generic, so it's easy to
>> add the notification for other kind of sockets.
>>
>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>
> Just curious what you want to use this for.
Some HW (custom FPGA, ASICs, NPUs) are able to offload packet captures, so it is 
required to notify them.

Re: [PATCH net-next v3] sock_diag: notify packet socket creation/deletion

[David Miller]

From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Date: Tue, 21 May 2013 17:14:50 +0200

> Le 20/05/2013 08:29, David Miller a écrit :
>> From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>> Date: Fri, 17 May 2013 16:25:38 +0200
>>
>>> With this patch, a netlink message is sent each time a packet socket
>>> is created or deleted.  The framework is generic, so it's easy to
>>> add the notification for other kind of sockets.
>>>
>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>
>> Just curious what you want to use this for.
> Some HW (custom FPGA, ASICs, NPUs) are able to offload packet
> captures, so it is required to notify them.

I don't even want to hear about this until you have patches ready
to submit to fully support such a facility.

I'm not applying this patch, sorry.

Re: [PATCH net-next v3] sock_diag: notify packet socket creation/deletion

[Nicolas Dichtel]

Le 21/05/2013 20:43, David Miller a écrit :
> From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> Date: Tue, 21 May 2013 17:14:50 +0200
>
>> Le 20/05/2013 08:29, David Miller a écrit :
>>> From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>> Date: Fri, 17 May 2013 16:25:38 +0200
>>>
>>>> With this patch, a netlink message is sent each time a packet socket
>>>> is created or deleted.  The framework is generic, so it's easy to
>>>> add the notification for other kind of sockets.
>>>>
>>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>>>
>>> Just curious what you want to use this for.
>> Some HW (custom FPGA, ASICs, NPUs) are able to offload packet
>> captures, so it is required to notify them.
>
> I don't even want to hear about this until you have patches ready
> to submit to fully support such a facility.
Not sure to understand what you're expecting. In our case, configuration is done 
by a daemon, hence there is no other kernel patch to support this.

Note that this patch is still a complete feature, it allows to monitor AF_PACKET 
socket.
With a patched iproute2:

$ ss -ap0e -M
     Netid  State      Recv-Q Send-Q 
        Local Address:Port 
  Peer Address:Port
     p_dgr  UNCONN     0      0 
                    *:* 
              *        users:(("tcpdump",8630,3)) ino=29477 uid=0 sk=f53fbc00
del p_dgr  UNCONN     0      0 
                   *:* 
             *        users:(("tcpdump",8630,3)) ino=29477 uid=0 sk=f53fbc00

Will you accept the patch if I integrate the example in the commit log?