Re: [PATCH V2] netlink: Add netns check on taps
On Mon, Dec 11, 2017 at 11:58:37AM -0500, David Miller wrote: > From: Michal Kubecek> Date: Mon, 11 Dec 2017 17:13:50 +0100 > > > On Wed, Dec 06, 2017 at 03:57:14PM -0500, David Miller wrote: > >> From: Kevin Cernekee > >> Date: Wed, 6 Dec 2017 12:12:27 -0800 > >> > >> > Currently, a nlmon link inside a child namespace can observe systemwide > >> > netlink activity. Filter the traffic so that nlmon can only sniff > >> > netlink messages from its own netns. > >> > > >> > Test case: > >> > > >> > vpnns -- bash -c "ip link add nlmon0 type nlmon; \ > >> > ip link set nlmon0 up; \ > >> > tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & > >> > sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ > >> > spi 0x1 mode transport \ > >> > auth sha1 0x616263313233 \ > >> > enc aes 0x > >> > grep --binary abc123 /tmp/nlmon.pcap > >> > > >> > Signed-off-by: Kevin Cernekee > >> > >> Applied and queued up for -stable, thanks Kevin. > > > > David, > > > > this patch is marked as accepted in patchworks and listed in > > > > http://patchwork.ozlabs.org/bundle/davem/stable/?state=* > > > > but it's not in the net tree. Is there a problem with it? > > Sorry, it should be there now. Thank you, Michal Kubecek
Re: [PATCH V2] netlink: Add netns check on taps
From: Michal KubecekDate: Mon, 11 Dec 2017 17:13:50 +0100 > On Wed, Dec 06, 2017 at 03:57:14PM -0500, David Miller wrote: >> From: Kevin Cernekee >> Date: Wed, 6 Dec 2017 12:12:27 -0800 >> >> > Currently, a nlmon link inside a child namespace can observe systemwide >> > netlink activity. Filter the traffic so that nlmon can only sniff >> > netlink messages from its own netns. >> > >> > Test case: >> > >> > vpnns -- bash -c "ip link add nlmon0 type nlmon; \ >> > ip link set nlmon0 up; \ >> > tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & >> > sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ >> > spi 0x1 mode transport \ >> > auth sha1 0x616263313233 \ >> > enc aes 0x >> > grep --binary abc123 /tmp/nlmon.pcap >> > >> > Signed-off-by: Kevin Cernekee >> >> Applied and queued up for -stable, thanks Kevin. > > David, > > this patch is marked as accepted in patchworks and listed in > > http://patchwork.ozlabs.org/bundle/davem/stable/?state=* > > but it's not in the net tree. Is there a problem with it? Sorry, it should be there now. Thanks.
Re: [PATCH V2] netlink: Add netns check on taps
On Wed, Dec 06, 2017 at 03:57:14PM -0500, David Miller wrote: > From: Kevin Cernekee> Date: Wed, 6 Dec 2017 12:12:27 -0800 > > > Currently, a nlmon link inside a child namespace can observe systemwide > > netlink activity. Filter the traffic so that nlmon can only sniff > > netlink messages from its own netns. > > > > Test case: > > > > vpnns -- bash -c "ip link add nlmon0 type nlmon; \ > > ip link set nlmon0 up; \ > > tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & > > sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ > > spi 0x1 mode transport \ > > auth sha1 0x616263313233 \ > > enc aes 0x > > grep --binary abc123 /tmp/nlmon.pcap > > > > Signed-off-by: Kevin Cernekee > > Applied and queued up for -stable, thanks Kevin. David, this patch is marked as accepted in patchworks and listed in http://patchwork.ozlabs.org/bundle/davem/stable/?state=* but it's not in the net tree. Is there a problem with it? Michal Kubecek
Re: [PATCH V2] netlink: Add netns check on taps
From: Kevin CernekeeDate: Wed, 6 Dec 2017 12:12:27 -0800 > Currently, a nlmon link inside a child namespace can observe systemwide > netlink activity. Filter the traffic so that nlmon can only sniff > netlink messages from its own netns. > > Test case: > > vpnns -- bash -c "ip link add nlmon0 type nlmon; \ > ip link set nlmon0 up; \ > tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & > sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ > spi 0x1 mode transport \ > auth sha1 0x616263313233 \ > enc aes 0x > grep --binary abc123 /tmp/nlmon.pcap > > Signed-off-by: Kevin Cernekee Applied and queued up for -stable, thanks Kevin.
[PATCH V2] netlink: Add netns check on taps
Currently, a nlmon link inside a child namespace can observe systemwide netlink activity. Filter the traffic so that nlmon can only sniff netlink messages from its own netns. Test case: vpnns -- bash -c "ip link add nlmon0 type nlmon; \ ip link set nlmon0 up; \ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ spi 0x1 mode transport \ auth sha1 0x616263313233 \ enc aes 0x grep --binary abc123 /tmp/nlmon.pcap Signed-off-by: Kevin Cernekee--- net/netlink/af_netlink.c | 3 +++ 1 file changed, 3 insertions(+) V1->V2: Drop the special exception for init_net. Compile-tested only, will retest later today. diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index b9e0ee4..79cc1bf 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb, struct sock *sk = skb->sk; int ret = -ENOMEM; + if (!net_eq(dev_net(dev), sock_net(sk))) + return 0; + dev_hold(dev); if (is_vmalloc_addr(skb->head)) -- 2.7.4