On 5/18/20 4:53 PM, Valeriy Vdovin wrote: > 'vz_security_protocol_check' is a part of socket creation routine. > Socket creation can be split into separate stages: > - family validation and family specific object creation > - protocol validation and protocol specific object creation > First family argument is validated. If family is ok, then the code > can proceeds to further work with protocol agrument. > > As part of family validation procedure for containers > vz_security_family_check is called. If family is not supported in > container environment and the current context is container the > function returns with -EAFNOSUPPORT code. > > As part of protocol validation procedure for containers > vz_security_protocol_check is called. If protocol is not supported > in container environment and the current context is container the > function CURRENTLY returns with -EAFNOSUPPORT code, although by > context of the current socket preparation step it should instead > return -EPROTONOSUPPORT. > > https://jira.sw.ru/browse/PSBM-104225 > Signed-off-by: Valeriy Vdovin <[email protected]> > --- > kernel/ve/ve.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c > index bf9f06d..a94d9cf 100644 > --- a/kernel/ve/ve.c > +++ b/kernel/ve/ve.c > @@ -1059,7 +1059,7 @@ int vz_security_protocol_check(struct net *net, int > protocol) > case IPPROTO_SCTP: > return 0; > default: > - return -EAFNOSUPPORT; > + return -EPROTONOSUPPORT;
I do no like this change: this check worked well for ages, and is well tested by huge number of tools and application. and we changes it just to satisfy some new version of _one_ userspace tool, which is _not_critical_ for us at all. Please take look at old related bugs https://jira.sw.ru/browse/PSBM-37418 https://jira.sw.ru/browse/PSBM-47413 Last one have fixed similar problem by using following hunk, it still present in vz6 @@ -1247,6 +1247,8 @@ int vz_security_protocol_check(int protocol) case IPPROTO_ESP: case IPPROTO_AH: break; + case IPPROTO_ICMP: + return -EACCES; default: return -EAFNOSUPPORT; } I think it's better to add similar check for ICMP6 and do not change default error code. Thank you, Vasily Averin _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
