| From foo@baz Sun Dec 31 11:13:15 CET 2017 |
| From: Kevin Cernekee <cernekee@chromium.org> |
| Date: Wed, 6 Dec 2017 12:12:27 -0800 |
| Subject: netlink: Add netns check on taps |
| |
| From: Kevin Cernekee <cernekee@chromium.org> |
| |
| |
| [ Upstream commit 93c647643b48f0131f02e45da3bd367d80443291 ] |
| |
| Currently, a nlmon link inside a child namespace can observe systemwide |
| netlink activity. Filter the traffic so that nlmon can only sniff |
| netlink messages from its own netns. |
| |
| Test case: |
| |
| vpnns -- bash -c "ip link add nlmon0 type nlmon; \ |
| ip link set nlmon0 up; \ |
| tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & |
| sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ |
| spi 0x1 mode transport \ |
| auth sha1 0x6162633132330000000000000000000000000000 \ |
| enc aes 0x00000000000000000000000000000000 |
| grep --binary abc123 /tmp/nlmon.pcap |
| |
| Signed-off-by: Kevin Cernekee <cernekee@chromium.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/netlink/af_netlink.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/net/netlink/af_netlink.c |
| +++ b/net/netlink/af_netlink.c |
| @@ -261,6 +261,9 @@ static int __netlink_deliver_tap_skb(str |
| struct sock *sk = skb->sk; |
| int ret = -ENOMEM; |
| |
| + if (!net_eq(dev_net(dev), sock_net(sk))) |
| + return 0; |
| + |
| dev_hold(dev); |
| |
| if (is_vmalloc_addr(skb->head)) |