[Devel] [PATCH rh8 1/2] netlink: protect NETLINK_REPAIR

Andrey Zhadchenko Wed, 11 Nov 2020 03:11:57 -0800

Prevent using netlink repair mode from containers.

Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
---
 net/netlink/af_netlink.c | 7 +++++++
 1 file changed, 7 insertions(+)


diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 46c2dbd..2b9e9c7 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1670,6 +1670,13 @@ static int netlink_setsockopt(struct socket *sock, int 
level, int optname,
 
        switch (optname) {
        case NETLINK_REPAIR:
+#ifdef CONFIG_VE
+               {
+                       struct ve_struct *ve = get_exec_env();
+                       if (!ve_is_super(ve) && !ve->is_pseudosuper)
+                               return -ENOPROTOOPT;
+               }
+#endif
                if (val)
                        nlk->flags |= NETLINK_F_REPAIR;
                else
-- 
1.8.3.1

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH rh8 1/2] netlink: protect NETLINK_REPAIR

Reply via email to