Re: [PATCH V2] netlink: Add netns check on taps

2017-12-11 Thread Michal Kubecek 
On Mon, Dec 11, 2017 at 11:58:37AM -0500, David Miller wrote:
> From: Michal Kubecek 
> Date: Mon, 11 Dec 2017 17:13:50 +0100
> 
> > On Wed, Dec 06, 2017 at 03:57:14PM -0500, David Miller wrote:
> >> From: Kevin Cernekee 
> >> Date: Wed,  6 Dec 2017 12:12:27 -0800
> >> 
> >> > Currently, a nlmon link inside a child namespace can observe systemwide
> >> > netlink activity.  Filter the traffic so that nlmon can only sniff
> >> > netlink messages from its own netns.
> >> > 
> >> > Test case:
> >> > 
> >> > vpnns -- bash -c "ip link add nlmon0 type nlmon; \
> >> >   ip link set nlmon0 up; \
> >> >   tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
> >> > sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
> >> > spi 0x1 mode transport \
> >> > auth sha1 0x616263313233 \
> >> > enc aes 0x
> >> > grep --binary abc123 /tmp/nlmon.pcap
> >> > 
> >> > Signed-off-by: Kevin Cernekee 
> >> 
> >> Applied and queued up for -stable, thanks Kevin.
> > 
> > David,
> > 
> > this patch is marked as accepted in patchworks and listed in
> > 
> >   http://patchwork.ozlabs.org/bundle/davem/stable/?state=*
> > 
> > but it's not in the net tree. Is there a problem with it?
> 
> Sorry, it should be there now.

Thank you,

Michal Kubecek

Re: [PATCH V2] netlink: Add netns check on taps

2017-12-11 Thread David Miller 
From: Michal Kubecek 
Date: Mon, 11 Dec 2017 17:13:50 +0100

> On Wed, Dec 06, 2017 at 03:57:14PM -0500, David Miller wrote:
>> From: Kevin Cernekee 
>> Date: Wed,  6 Dec 2017 12:12:27 -0800
>> 
>> > Currently, a nlmon link inside a child namespace can observe systemwide
>> > netlink activity.  Filter the traffic so that nlmon can only sniff
>> > netlink messages from its own netns.
>> > 
>> > Test case:
>> > 
>> > vpnns -- bash -c "ip link add nlmon0 type nlmon; \
>> >   ip link set nlmon0 up; \
>> >   tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
>> > sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
>> > spi 0x1 mode transport \
>> > auth sha1 0x616263313233 \
>> > enc aes 0x
>> > grep --binary abc123 /tmp/nlmon.pcap
>> > 
>> > Signed-off-by: Kevin Cernekee 
>> 
>> Applied and queued up for -stable, thanks Kevin.
> 
> David,
> 
> this patch is marked as accepted in patchworks and listed in
> 
>   http://patchwork.ozlabs.org/bundle/davem/stable/?state=*
> 
> but it's not in the net tree. Is there a problem with it?

Sorry, it should be there now.

Thanks.

Re: [PATCH V2] netlink: Add netns check on taps

2017-12-11 Thread Michal Kubecek 
On Wed, Dec 06, 2017 at 03:57:14PM -0500, David Miller wrote:
> From: Kevin Cernekee 
> Date: Wed,  6 Dec 2017 12:12:27 -0800
> 
> > Currently, a nlmon link inside a child namespace can observe systemwide
> > netlink activity.  Filter the traffic so that nlmon can only sniff
> > netlink messages from its own netns.
> > 
> > Test case:
> > 
> > vpnns -- bash -c "ip link add nlmon0 type nlmon; \
> >   ip link set nlmon0 up; \
> >   tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
> > sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
> > spi 0x1 mode transport \
> > auth sha1 0x616263313233 \
> > enc aes 0x
> > grep --binary abc123 /tmp/nlmon.pcap
> > 
> > Signed-off-by: Kevin Cernekee 
> 
> Applied and queued up for -stable, thanks Kevin.

David,

this patch is marked as accepted in patchworks and listed in

  http://patchwork.ozlabs.org/bundle/davem/stable/?state=*

but it's not in the net tree. Is there a problem with it?

Michal Kubecek

Re: [PATCH V2] netlink: Add netns check on taps

2017-12-06 Thread David Miller 
From: Kevin Cernekee 
Date: Wed,  6 Dec 2017 12:12:27 -0800

> Currently, a nlmon link inside a child namespace can observe systemwide
> netlink activity.  Filter the traffic so that nlmon can only sniff
> netlink messages from its own netns.
> 
> Test case:
> 
> vpnns -- bash -c "ip link add nlmon0 type nlmon; \
>   ip link set nlmon0 up; \
>   tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
> sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
> spi 0x1 mode transport \
> auth sha1 0x616263313233 \
> enc aes 0x
> grep --binary abc123 /tmp/nlmon.pcap
> 
> Signed-off-by: Kevin Cernekee 

Applied and queued up for -stable, thanks Kevin.

[PATCH V2] netlink: Add netns check on taps

2017-12-06 Thread Kevin Cernekee 
Currently, a nlmon link inside a child namespace can observe systemwide
netlink activity.  Filter the traffic so that nlmon can only sniff
netlink messages from its own netns.

Test case:

vpnns -- bash -c "ip link add nlmon0 type nlmon; \
  ip link set nlmon0 up; \
  tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
spi 0x1 mode transport \
auth sha1 0x616263313233 \
enc aes 0x
grep --binary abc123 /tmp/nlmon.pcap

Signed-off-by: Kevin Cernekee 
---
 net/netlink/af_netlink.c | 3 +++
 1 file changed, 3 insertions(+)


V1->V2: Drop the special exception for init_net.
Compile-tested only, will retest later today.


diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index b9e0ee4..79cc1bf 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
struct sock *sk = skb->sk;
int ret = -ENOMEM;
 
+   if (!net_eq(dev_net(dev), sock_net(sk)))
+   return 0;
+
dev_hold(dev);
 
if (is_vmalloc_addr(skb->head))
-- 
2.7.4