OpenVZ Forum: Devel » [patch 0/2] net namespace : L3 security patches

Home » Mailing lists » Devel » [patch 0/2] net namespace : L3 security patches

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

[patch 1/2] net namespace : assign IP address to specified nsproxy child [message #17389 is a reply to message #17388]

Fri, 26 January 2007 09:52

Daniel Lezcano
Messages: 417
Registered: June 2006

Senior Member

From: Daniel Lezcano <dlezcano@fr.ibm.com>

All IP configuration is done into the L2 namespace. The L3 namespace gains visibility to an IP address when this one is assigned from the L2 parent's namespace to the L3 child.
In order to be able to find a L3 child, the namespace identifier should be used to retrieve the namespace.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

---
 net/core/net_namespace.c |   24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

Index: 2.6.20-rc4-mm1/net/core/net_namespace.c
===================================================================
--- 2.6.20-rc4-mm1.orig/net/core/net_namespace.c
+++ 2.6.20-rc4-mm1/net/core/net_namespace.c
@@ -15,6 +15,7 @@
 #include <linux/inetdevice.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
+#include <linux/capability.h>
 
 #include <net/ip_fib.h>
 #include <net/sock.h>
@@ -57,8 +58,8 @@
 
 	kref_init(&ns->kref);
 	if ((push_net_ns(ns)) != old_ns)
-
 		BUG();
+
 	if (level ==  NET_NS_LEVEL2) {
 		ns->dev_base_p = NULL;
 		ns->dev_tail_p = &ns->dev_base_p;
@@ -200,25 +201,36 @@
 {
 	struct ifreq ifr;
 	struct sockaddr_in *sin = (struct sockaddr_in *)&ifr.ifr_addr;
-	struct net_namespace *net_ns = current_net_ns;
+	struct net_namespace *net_ns;
+	struct nsproxy *nsproxy;
 	struct net_device *dev;
 	struct in_device *in_dev;
 	struct in_ifaddr **ifap = NULL;
 	struct in_ifaddr *ifa = NULL;
 	char *colon;
-	int err;
+	int err, id = 0;
 
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
 
-	if (net_ns->level != NET_NS_LEVEL3)
-		return -EPERM;
-
 	if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))
 		return -EFAULT;
 
 	ifr.ifr_name[IFNAMSIZ - 1] = 0;
+	id = sin->sin_port;
 
+	nsproxy = find_nsproxy_by_id(id);
+	if (!nsproxy)
+		return -ESRCH;
+
+	net_ns = nsproxy->net_ns;
+	put_nsproxy(nsproxy);
+
+	if (net_ns->parent != current_net_ns)
+		return -EPERM;
+
+	if (net_ns->level != NET_NS_LEVEL3)
+		return -EINVAL;
 
 	colon = strchr(ifr.ifr_name, ':');
 	if (colon)

-- 
_______________________________________________
Containers mailing list
Containers@lists.osdl.org
https://lists.osdl.org/mailman/listinfo/containers

Report message to a moderator

[Message index]

		[patch 0/2] net namespace : L3 security patches By: Daniel Lezcano on Fri, 26 January 2007 09:52
		[patch 1/2] net namespace : assign IP address to specified nsproxy child By: Daniel Lezcano on Fri, 26 January 2007 09:52
		[patch 2/2] net namespace : lose CAP_NET_ADMIN when being L3 namespace By: Daniel Lezcano on Fri, 26 January 2007 09:52

Previous Topic:	[PATCH][RFC] incorrect direct io error handling (v3)
Next Topic:	[PATCH 2/3] lutimesat: extend do_utimes() with flags

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Wed Sep 10 06:50:25 GMT 2025

Total time taken to generate the page: 0.07995 seconds