* [PATCH net-next 0/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_{DEL,SET}LINK
[not found] <20180123132233.6d77040b@redhat.com>
@ 2018-01-24 11:32 ` Christian Brauner
2018-01-24 11:32 ` [PATCH net-next 1/3] rtnetlink: enable IFLA_IF_NETNSID in do_setlink() Christian Brauner
2018-01-24 11:52 ` [PATCH net-next 2/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_SETLINK Christian Brauner
2018-01-24 11:53 ` [PATCH net-next 3/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_DELLINK Christian Brauner
2 siblings, 1 reply; 4+ messages in thread
From: Christian Brauner @ 2018-01-24 11:32 UTC (permalink / raw)
To: netdev
Cc: davem, dsahern, fw, daniel, lucien.xin, mschiffer,
jakub.kicinski, vyasevich, linux-kernel, stephen, jbenc,
w.bumiller, nicolas.dichtel, Christian Brauner
Hi,
Based on the previous discussion this enables passing a IFLA_IF_NETNSID
property along with RTM_SETLINK and RTM_DELLINK requests. The patch for
RTM_NEWLINK will be sent out in a separate patch since there are more
corner-cases to think about.
Best,
Christian
Christian Brauner (3):
rtnetlink: enable IFLA_IF_NETNSID in do_setlink()
rtnetlink: enable IFLA_IF_NETNSID for RTM_SETLINK
rtnetlink: enable IFLA_IF_NETNSID for RTM_DELLINK
net/core/rtnetlink.c | 97 ++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 76 insertions(+), 21 deletions(-)
--
2.14.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH net-next 1/3] rtnetlink: enable IFLA_IF_NETNSID in do_setlink()
2018-01-24 11:32 ` [PATCH net-next 0/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_{DEL,SET}LINK Christian Brauner
@ 2018-01-24 11:32 ` Christian Brauner
0 siblings, 0 replies; 4+ messages in thread
From: Christian Brauner @ 2018-01-24 11:32 UTC (permalink / raw)
To: netdev
Cc: davem, dsahern, fw, daniel, lucien.xin, mschiffer,
jakub.kicinski, vyasevich, linux-kernel, stephen, jbenc,
w.bumiller, nicolas.dichtel, Christian Brauner
RTM_{NEW,SET}LINK already allow operations on other network namespaces
by identifying the target network namespace through IFLA_NET_NS_{FD,PID}
properties. This is done by looking for the corresponding properties in
do_setlink(). Extend do_setlink() to also look for the IFLA_IF_NETNSID
property. This introduces no functional changes since all callers of
do_setlink() currently block IFLA_IF_NETNSID by reporting an error before
they reach do_setlink().
This introduces the helpers:
static struct net *rtnl_link_get_net_by_nlattr(struct net *src_net, struct
nlattr *tb[])
static struct net *rtnl_link_get_net_capable(const struct sk_buff *skb,
struct net *src_net,
struct nlattr *tb[], int cap)
to simplify permission checks and target network namespace retrieval for
RTM_* requests that already support IFLA_NET_NS_{FD,PID} but get extended
to IFLA_IF_NETNSID. To perserve backwards compatibility the helpers look
for IFLA_NET_NS_{FD,PID} properties first before checking for
IFLA_IF_NETNSID.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
net/core/rtnetlink.c | 54 +++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 47 insertions(+), 7 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 16d644a4f974..54134187485b 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1893,6 +1893,49 @@ struct net *rtnl_link_get_net(struct net *src_net, struct nlattr *tb[])
}
EXPORT_SYMBOL(rtnl_link_get_net);
+/* Figure out which network namespace we are talking about by
+ * examining the link attributes in the following order:
+ *
+ * 1. IFLA_NET_NS_PID
+ * 2. IFLA_NET_NS_FD
+ * 3. IFLA_IF_NETNSID
+ */
+static struct net *rtnl_link_get_net_by_nlattr(struct net *src_net,
+ struct nlattr *tb[])
+{
+ struct net *net;
+
+ if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD])
+ return rtnl_link_get_net(src_net, tb);
+
+ if (!tb[IFLA_IF_NETNSID])
+ return get_net(src_net);
+
+ net = get_net_ns_by_id(src_net, nla_get_u32(tb[IFLA_IF_NETNSID]));
+ if (!net)
+ return ERR_PTR(-EINVAL);
+
+ return net;
+}
+
+static struct net *rtnl_link_get_net_capable(const struct sk_buff *skb,
+ struct net *src_net,
+ struct nlattr *tb[], int cap)
+{
+ struct net *net;
+
+ net = rtnl_link_get_net_by_nlattr(src_net, tb);
+ if (IS_ERR(net))
+ return net;
+
+ if (!netlink_ns_capable(skb, net->user_ns, cap)) {
+ put_net(net);
+ return ERR_PTR(-EPERM);
+ }
+
+ return net;
+}
+
static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[])
{
if (dev) {
@@ -2155,17 +2198,14 @@ static int do_setlink(const struct sk_buff *skb,
const struct net_device_ops *ops = dev->netdev_ops;
int err;
- if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD]) {
- struct net *net = rtnl_link_get_net(dev_net(dev), tb);
+ if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD] || tb[IFLA_IF_NETNSID]) {
+ struct net *net = rtnl_link_get_net_capable(skb, dev_net(dev),
+ tb, CAP_NET_ADMIN);
if (IS_ERR(net)) {
err = PTR_ERR(net);
goto errout;
}
- if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) {
- put_net(net);
- err = -EPERM;
- goto errout;
- }
+
err = dev_change_net_namespace(dev, net, ifname);
put_net(net);
if (err)
--
2.14.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH net-next 2/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_SETLINK
[not found] <20180123132233.6d77040b@redhat.com>
2018-01-24 11:32 ` [PATCH net-next 0/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_{DEL,SET}LINK Christian Brauner
@ 2018-01-24 11:52 ` Christian Brauner
2018-01-24 11:53 ` [PATCH net-next 3/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_DELLINK Christian Brauner
2 siblings, 0 replies; 4+ messages in thread
From: Christian Brauner @ 2018-01-24 11:52 UTC (permalink / raw)
To: netdev
Cc: davem, dsahern, fw, daniel, lucien.xin, mschiffer,
jakub.kicinski, vyasevich, linux-kernel, jbenc, w.bumiller,
nicolas.dichtel, Christian Brauner
- Backwards Compatibility:
If userspace wants to determine whether RTM_SETLINK supports the
IFLA_IF_NETNSID property they should first send an RTM_GETLINK request
with IFLA_IF_NETNSID on lo. If either EACCESS is returned or the reply
does not include IFLA_IF_NETNSID userspace should assume that
IFLA_IF_NETNSID is not supported on this kernel.
If the reply does contain an IFLA_IF_NETNSID property userspace
can send an RTM_SETLINK with a IFLA_IF_NETNSID property. If they receive
EOPNOTSUPP then the kernel does not support the IFLA_IF_NETNSID property
with RTM_SETLINK. Userpace should then fallback to other means.
To retain backwards compatibility the kernel will first check whether a
IFLA_NET_NS_PID or IFLA_NET_NS_FD property has been passed. If either
one is found it will be used to identify the target network namespace.
This implies that users who do not care whether their running kernel
supports IFLA_IF_NETNSID with RTM_SETLINK can pass both
IFLA_NET_NS_{FD,PID} and IFLA_IF_NETNSID referring to the same network
namespace.
- Security:
Callers must have CAP_NET_ADMIN in the owning user namespace of the
target network namespace.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
net/core/rtnetlink.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 54134187485b..a4d4409685e3 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2546,9 +2546,6 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
if (err < 0)
goto errout;
- if (tb[IFLA_IF_NETNSID])
- return -EOPNOTSUPP;
-
if (tb[IFLA_IFNAME])
nla_strlcpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
else
--
2.14.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH net-next 3/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_DELLINK
[not found] <20180123132233.6d77040b@redhat.com>
2018-01-24 11:32 ` [PATCH net-next 0/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_{DEL,SET}LINK Christian Brauner
2018-01-24 11:52 ` [PATCH net-next 2/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_SETLINK Christian Brauner
@ 2018-01-24 11:53 ` Christian Brauner
2 siblings, 0 replies; 4+ messages in thread
From: Christian Brauner @ 2018-01-24 11:53 UTC (permalink / raw)
To: netdev
Cc: davem, dsahern, fw, daniel, lucien.xin, mschiffer,
jakub.kicinski, vyasevich, linux-kernel, jbenc, w.bumiller,
nicolas.dichtel, Christian Brauner
- Backwards Compatibility:
If userspace wants to determine whether RTM_DELLINK supports the
IFLA_IF_NETNSID property they should first send an RTM_GETLINK request
with IFLA_IF_NETNSID on lo. If either EACCESS is returned or the reply
does not include IFLA_IF_NETNSID userspace should assume that
IFLA_IF_NETNSID is not supported on this kernel.
If the reply does contain an IFLA_IF_NETNSID property userspace
can send an RTM_DELLINK with a IFLA_IF_NETNSID property. If they receive
EOPNOTSUPP then the kernel does not support the IFLA_IF_NETNSID property
with RTM_DELLINK. Userpace should then fallback to other means.
- Security:
Callers must have CAP_NET_ADMIN in the owning user namespace of the
target network namespace.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
net/core/rtnetlink.c | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index a4d4409685e3..17f7c3508a0c 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2630,36 +2630,54 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
struct netlink_ext_ack *extack)
{
struct net *net = sock_net(skb->sk);
- struct net_device *dev;
+ struct net *tgt_net = net;
+ struct net_device *dev = NULL;
struct ifinfomsg *ifm;
char ifname[IFNAMSIZ];
struct nlattr *tb[IFLA_MAX+1];
int err;
+ int netnsid = -1;
err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy, extack);
if (err < 0)
return err;
- if (tb[IFLA_IF_NETNSID])
- return -EOPNOTSUPP;
-
if (tb[IFLA_IFNAME])
nla_strlcpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
+ if (tb[IFLA_IF_NETNSID]) {
+ netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]);
+ tgt_net = get_target_net(NETLINK_CB(skb).sk, netnsid);
+ if (IS_ERR(tgt_net))
+ return PTR_ERR(tgt_net);
+ }
+
+ err = -EINVAL;
ifm = nlmsg_data(nlh);
if (ifm->ifi_index > 0)
- dev = __dev_get_by_index(net, ifm->ifi_index);
+ dev = __dev_get_by_index(tgt_net, ifm->ifi_index);
else if (tb[IFLA_IFNAME])
- dev = __dev_get_by_name(net, ifname);
+ dev = __dev_get_by_name(tgt_net, ifname);
else if (tb[IFLA_GROUP])
- return rtnl_group_dellink(net, nla_get_u32(tb[IFLA_GROUP]));
+ err = rtnl_group_dellink(tgt_net, nla_get_u32(tb[IFLA_GROUP]));
else
- return -EINVAL;
+ goto out;
- if (!dev)
- return -ENODEV;
+ if (!dev) {
+ if (tb[IFLA_GROUP])
+ goto out;
- return rtnl_delete_link(dev);
+ err = -ENODEV;
+ goto out;
+ }
+
+ err = rtnl_delete_link(dev);
+
+out:
+ if (netnsid >= 0)
+ put_net(tgt_net);
+
+ return err;
}
int rtnl_configure_link(struct net_device *dev, const struct ifinfomsg *ifm)
--
2.14.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-01-24 11:53 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20180123132233.6d77040b@redhat.com>
2018-01-24 11:32 ` [PATCH net-next 0/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_{DEL,SET}LINK Christian Brauner
2018-01-24 11:32 ` [PATCH net-next 1/3] rtnetlink: enable IFLA_IF_NETNSID in do_setlink() Christian Brauner
2018-01-24 11:52 ` [PATCH net-next 2/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_SETLINK Christian Brauner
2018-01-24 11:53 ` [PATCH net-next 3/3] rtnetlink: enable IFLA_IF_NETNSID for RTM_DELLINK Christian Brauner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).