On Tue, Apr 13, 2021 at 03:08:48AM -0400, Jonathon Reinhart wrote:
> Currently, tcp_allowed_congestion_control is global and writable;
> writing to it in any net namespace will leak into all other net
> namespaces.
>
> tcp_available_congestion_control and tcp_allowed_congestion_control are
> the o
where they have to
> be restored, then CRIU will restore network namespaces and move devices
> into them. The problem is that devices have to be restored with the same
> indexes that they have before C/R.
>
> Cc: Alexander Mikhalitsyn
> Suggested-by: Christian Brauner
> Reviewed
where they have to
> be restored, then CRIU will restore network namespaces and move devices
> into them. The problem is that devices have to be restored with the same
> indexes that they have before C/R.
>
> Cc: Alexander Mikhalitsyn
> Suggested-by: Christian Brauner
> Signed-of
er Mikhalitsyn
> Suggested-by: Christian Brauner
> Signed-off-by: Andrei Vagin
> ---
Thank you for doing this! This will really help a lot of people with
using CRIU's network dump+restore capabilities.
It might be worth to point out that the ifindex of a netdev can already
change d
On Wed, Mar 31, 2021 at 09:59:07PM +0800, Yongji Xie wrote:
> On Wed, Mar 31, 2021 at 8:23 PM Christian Brauner
> wrote:
> >
> > On Wed, Mar 31, 2021 at 07:32:33PM +0800, Yongji Xie wrote:
> > > On Wed, Mar 31, 2021 at 5:15 PM Christian Brauner
> > > wrote:
On Wed, Mar 31, 2021 at 07:32:33PM +0800, Yongji Xie wrote:
> On Wed, Mar 31, 2021 at 5:15 PM Christian Brauner
> wrote:
> >
> > On Wed, Mar 31, 2021 at 04:05:10PM +0800, Xie Yongji wrote:
> > > Export receive_fd() so that some modules can use
> > > it to pa
On Wed, Mar 31, 2021 at 12:26:24PM +0300, Dan Carpenter wrote:
> On Wed, Mar 31, 2021 at 11:15:45AM +0200, Christian Brauner wrote:
> > On Wed, Mar 31, 2021 at 04:05:10PM +0800, Xie Yongji wrote:
> > > Export receive_fd() so that some modules can use
> > > it to p
On Wed, Mar 31, 2021 at 04:05:10PM +0800, Xie Yongji wrote:
> Export receive_fd() so that some modules can use
> it to pass file descriptor between processes without
> missing any security stuffs.
>
> Signed-off-by: Xie Yongji
> ---
Yeah, as I said in the other mail I'd be comfortable with expos
nction fails.
>
> Add a separate NULL check to tell gcc about it as well.
>
> Signed-off-by: Arnd Bergmann
> ---
Seems reasonable,
Acked-by: Christian Brauner
On Mon, Mar 15, 2021 at 05:46:43PM +0800, Yongji Xie wrote:
> On Mon, Mar 15, 2021 at 5:08 PM Christoph Hellwig wrote:
> >
> > On Mon, Mar 15, 2021 at 01:37:11PM +0800, Xie Yongji wrote:
> > > Export __receive_fd() so that some modules can use
> > > it to pass file descriptor between processes.
>
On Tue, Mar 02, 2021 at 09:47:10AM +, Lorenz Bauer wrote:
> On Mon, 1 Mar 2021 at 10:04, Christian Brauner
> wrote:
> >
> > Hey Lorenz,
> >
> > Just to make sure: is it intentional that any user can retrieve the
> > cookie associated with any network n
Hey everyone,
I get the following WARN triggered in net/wireless/nl80211.c during boot
on v5.12-rc1:
[ 36.749643] [ cut here ]
[ 36.749645] WARNING: CPU: 7 PID: 829 at net/wireless/nl80211.c:7746
nl80211_get_reg_do+0x215/0x250 [cfg80211]
[ 36.749683] Modules linked
On Wed, Feb 10, 2021 at 12:04:23PM +, Lorenz Bauer wrote:
> Network namespaces have a globally unique non-zero identifier aka a
> cookie, in line with socket cookies. Add an ioctl to retrieve the
> cookie from user space without going via BPF.
>
> Cc: linux-...@vger.kernel.org
> Signed-off-by:
On Sun, Jan 17, 2021 at 06:23:19PM +0800, menglong8.d...@gmail.com wrote:
> From: Menglong Dong
>
> For now, sysctl_wmem_default and sysctl_rmem_default are globally
> unified. It's not convenient in some case. For example, when we
> use docker and try to control the default udp socket receive bu
s/no/now/
> position, which can lead to a failure depending on the exact stack
> initialization patter. Initialize the variable to zero to make
s/patter/pattern/
> rw_verify_area happy.
>
> Fixes: 6955a76fbcd5 ("bpfilter: switch to kernel_write")
> Reported-by: Christian B
vger.kernel.org
> Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set
> correctly")
> Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set
> correctly")
> Signed-off-by: Kees Cook
> ---
Thanks!
Acked-by: Christian Brauner
On Wed, Jul 08, 2020 at 11:12:02PM -0700, Kees Cook wrote:
> On Tue, Jul 07, 2020 at 03:30:49PM +0200, Christian Brauner wrote:
> > Hm, maybe change that description to sm like:
> >
> > [...]
>
> Cool, yeah. Thanks! I've tweaked it a little more
>
>
On Wed, Jul 08, 2020 at 11:35:39PM -0700, Kees Cook wrote:
> On Tue, Jul 07, 2020 at 02:22:20PM +0200, Christian Brauner wrote:
> > So while the patch is correct it leaves 5.6 and 5.7 with a bug in the
> > pidfd_getfd() implementation and that just doesn't seem right. I'm
On Mon, Jul 06, 2020 at 01:17:19PM -0700, Kees Cook wrote:
> From: Sargun Dhillon
>
> This adds a seccomp notifier ioctl which allows for the listener to
> "add" file descriptors to a process which originated a seccomp user
> notification. This allows calls like mount, and mknod to be "implemente
Thanks to Colin Ian King for pointing out an
> uninitialized variable exposure in an earlier version of this patch.
>
> Reviewed-by: Sargun Dhillon
> Signed-off-by: Kees Cook
> ---
Thanks!
(One tiny-nit below.)
Acked-by: Christian Brauner
> fs/file.c| 24 +
r.
>
> Thanks to Vamshi K Sthambamkadi for
> catching a missed fput() in an earlier version of this patch.
>
> Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
> Reviewed-by: Sargun Dhillon
> Signed-off-by: Kees Cook
> ---
Thanks!
Acked-by: Christia
argun Dhillon
> Signed-off-by: Kees Cook
> ---
Hm, I'm not sure why 2/7 and 3/7 aren't just one patch but ok. :)
Acked-by: Christian Brauner
e a wrapper
> named receive_fd_user(), as future patches will change the interface
> to __receive_fd().
>
> Reviewed-by: Sargun Dhillon
> Signed-off-by: Kees Cook
> ---
Thanks!
Acked-by: Christian Brauner
r to the native handler, just include the same check
> in the compat handler.
>
> Fixes: 48a87cc26c13 ("net: netprio: fd passed in SCM_RIGHTS datagram not set
> correctly")
> Fixes: d84295067fc7 ("net: net_cls: fd passed in SCM_RIGHTS datagram not set
> correctly")
>
On Mon, Jul 06, 2020 at 06:12:47PM +0200, Christian Brauner wrote:
> On Mon, Jul 06, 2020 at 08:34:06AM -0700, Kees Cook wrote:
> > On Mon, Jul 06, 2020 at 03:07:13PM +0200, Christian Brauner wrote:
> > > On Wed, Jun 17, 2020 at 03:03:24PM -0700, Kees Cook wrote:
> &g
On Mon, Jul 06, 2020 at 08:34:06AM -0700, Kees Cook wrote:
> On Mon, Jul 06, 2020 at 03:07:13PM +0200, Christian Brauner wrote:
> > On Wed, Jun 17, 2020 at 03:03:24PM -0700, Kees Cook wrote:
> > > The sock counting (sock_update_netprioidx() and sock_update_classid()) was
> >
On Wed, Jun 17, 2020 at 03:03:24PM -0700, Kees Cook wrote:
> The sock counting (sock_update_netprioidx() and sock_update_classid()) was
> missing from pidfd's implementation of received fd installation. Replace
> the open-coded version with a call to the new fd_install_received()
> helper.
>
> Fix
On Thu, Jul 02, 2020 at 08:17:38AM -0500, Eric W. Biederman wrote:
> Matt Bennett writes:
>
> > Previously the connector functionality could only be used by processes
> > running in the
> > default network namespace. This meant that any process that uses the
> > connector functionality
> > coul
On Mon, Jun 15, 2020 at 08:25:15PM -0700, Kees Cook wrote:
> In preparation for users of the "install a received file" logic outside
> of net/ (pidfd and seccomp), relocate and rename __scm_install_fd() from
> net/core/scm.c to __fd_install_received() in fs/file.c, and provide a
> wrapper named fd_
On Tue, Jun 09, 2020 at 09:52:12PM -0700, Kees Cook wrote:
> Hi,
>
> This extends the recent work hch did for scm_detach_fds(), and updates
> the compat path as well, fixing bugs in the process. Additionally,
> an effectively incomplete and open-coded __scm_install_fd() is fixed
> in pidfd_getfd()
On Wed, May 20, 2020 at 07:24:18PM +0200, Christian Brauner wrote:
> On Wed, May 20, 2020 at 10:54:21AM -0600, David Ahern wrote:
> > On 5/20/20 8:58 AM, Christian Brauner wrote:
> > > During NorthSec (cf. [1]) a very large number of unprivileged
> > > containers an
On Wed, May 20, 2020 at 10:54:21AM -0600, David Ahern wrote:
> On 5/20/20 8:58 AM, Christian Brauner wrote:
> > During NorthSec (cf. [1]) a very large number of unprivileged
> > containers and nested containers are run during the competition to
> > provide a safe environment
e than the container it was created in.
4. Inherit the limit from the current network namespace. This to means
we don't fully namespace max_sizes but allow the current network
namespace to choose a limit it is comfortable with inheriting.
[1]: https://nsec.io/
Signed-off-by: Christian Brau
On Fri, May 15, 2020 at 08:57:30AM -0700, Matthew Wilcox wrote:
> On Fri, May 15, 2020 at 10:23:17AM -0500, Nate Karstens wrote:
> > Series of 4 patches to implement close-on-fork. Tests have been
> > published to https://github.com/nkarstens/ltp/tree/close-on-fork
> > and cover close-on-fork funct
On August 17, 2019 5:36:54 PM GMT+02:00, Alexei Starovoitov
wrote:
>On Sat, Aug 17, 2019 at 05:16:53PM +0200, Christian Brauner wrote:
>> On August 17, 2019 5:08:45 PM GMT+02:00, Alexei Starovoitov
> wrote:
>> >On Sat, Aug 17, 2019 at 12:22:53AM +0200, Christian Brauner wro
On August 17, 2019 5:08:45 PM GMT+02:00, Alexei Starovoitov
wrote:
>On Sat, Aug 17, 2019 at 12:22:53AM +0200, Christian Brauner wrote:
>>
>> (The one usecase I'd care about is to extend seccomp to do
>pointer-based
>> syscall filtering. Whether or not that'
On Fri, Aug 16, 2019 at 02:45:44PM -0700, Alexei Starovoitov wrote:
> On Thu, Aug 15, 2019 at 05:54:59PM -0700, Andy Lutomirski wrote:
> >
> >
> > > On Aug 15, 2019, at 4:46 PM, Alexei Starovoitov
> > > wrote:
> >
> >
> > >>
> > >> I'm not sure why you draw the line for VMs -- they're just a
On Thu, Jun 27, 2019 at 04:42:18PM -0700, Andy Lutomirski wrote:
> [sigh, I finally set up lore nntp, and I goofed some addresses. Hi
> Kees and linux-api.]
Love it or hate it but that should probably also Cc linux-security...
>
> On Thu, Jun 27, 2019 at 4:40 PM Andy Lutomirski wrote:
> >
> >
bot+43a3fa52c0d9c5c94...@syzkaller.appspotmail.com
Fixes: 22567590b2e6 ("netfilter: bridge: namespace bridge netfilter sysctls")
Signed-off-by: Christian Brauner
---
net/bridge/br_netfilter_hooks.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bridge/br_netfilter_hooks.c
On Mon, Mar 04, 2019 at 10:07:17PM +0100, Arnd Bergmann wrote:
> On Mon, Mar 4, 2019 at 10:00 PM Christian Brauner
> wrote:
> >
> > On Mon, Mar 04, 2019 at 09:38:03PM +0100, Arnd Bergmann wrote:
> > > When CONFIG_SYSCTL is turned off, we get a link failure for
> &
On Mon, Mar 04, 2019 at 09:38:03PM +0100, Arnd Bergmann wrote:
> When CONFIG_SYSCTL is turned off, we get a link failure for
> the newly introduced tuning knob.
>
> net/ipv6/addrconf.o: In function `addrconf_init_net':
> addrconf.c:(.text+0x31dc): undefined reference to
> `sysctl_devconf_inherit_
d-function]
> static int proc_dointvec_minmax_bpf_stats(struct ctl_table *table, int write,
>
> The CONFIG_BPF_SYSCALL check was already handled, but the SYSCTL check
> is needed on top.
>
> Fixes: 492ecee892c2 ("bpf: enable program stats")
> Signed-off-by: Arnd Ber
On Tue, Nov 27, 2018 at 09:23:49AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Nov 27, 2018 at 03:20:45AM +0100, Christian Brauner wrote:
> > On Tue, Nov 27, 2018 at 01:20:47AM +0100, Pablo Neira Ayuso wrote:
> > > Hi,
> > >
> > > On Wed, Nov 07, 2018 at 02:48
On Tue, Nov 27, 2018 at 09:23:49AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Nov 27, 2018 at 03:20:45AM +0100, Christian Brauner wrote:
> > On Tue, Nov 27, 2018 at 01:20:47AM +0100, Pablo Neira Ayuso wrote:
> > > Hi,
> > >
> > > On Wed, Nov 07, 2018 at 02:48
On Tue, Nov 27, 2018 at 01:20:47AM +0100, Pablo Neira Ayuso wrote:
> Hi,
>
> On Wed, Nov 07, 2018 at 02:48:58PM +0100, Christian Brauner wrote:
> [...]
> > diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
> > index ca043342c0eb..eedbd1ac940e 1006
On Mon, Oct 08, 2018 at 07:28:33AM -0600, David Ahern wrote:
> On 10/8/18 4:54 AM, Christian Brauner wrote:
> > On Sun, Oct 07, 2018 at 08:16:38PM -0700, David Ahern wrote:
> >> From: David Ahern
> >>
> >> Update rtnl_net_dumpid for strict data checking. If th
net/fib_rules: Update fib_nl_dumprule for strict data checking
> net/ipv6: Update ip6addrlbl_dump for strict data checking
> net: Update netconf dump handlers for strict data checking
> net/bridge: Update br_mdb_dump for strict data checking
> rtnetlink: Move input check
ed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/core/rtnetlink.c | 62
> ++--
> 1 file changed, 60 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index c7509c789fb6..c8
t; allowed to send up to this point.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/core/rtnetlink.c | 53
>
> 1 file changed, 33 insertions(+), 20 deletions(-)
>
> diff --git a/net/core/
no
> attributes can be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/bridge/br_mdb.c | 30 ++
> 1 file changed, 30 insertions(+)
>
> diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
> index a4a
On Sun, Oct 07, 2018 at 08:16:38PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update rtnl_net_dumpid for strict data checking. If the flag is set,
> the dump request is expected to have an rtgenmsg struct as the header
> which has the family as the only element. No data may be appended.
>
to be 0 and no
> attributes can be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/ipv6/addrlabel.c | 34 +-
> 1 file changed, 33 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv6/addrlabel.c b/ne
g struct as the header.
> The struct only has the family member and no attributes can be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/ipv4/devinet.c | 22 +++---
> net/ipv6/addrconf.c | 22 +
d no attributes can
> be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/core/fib_rules.c | 36 +++-
> 1 file changed, 35 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/fib_rules.c b/ne
d no attributes can
> be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/core/neighbour.c | 38 +++---
> 1 file changed, 35 insertions(+), 3 deletions(-)
>
> diff --git a/net/core/neighbour.c b/ne
ng code does not fail the dump if nlmsg_parse fails. That behavior
> is kept for non-strict checking.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/core/neighbour.c | 82
> ++--
> 1 file changed, 67 ins
to be 0 and no attributes can
> be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/ipv4/ipmr.c | 32
> 1 file changed, 32 insertions(+)
>
> diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
> index 5660adcf
to be 0 and no
> attributes can be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/ipv6/addrconf.c | 35 +++
> 1 file changed, 35 insertions(+)
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index
On Sun, Oct 07, 2018 at 08:16:32PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update rtnl_stats_dump for strict data checking. If the flag is set,
> the dump request is expected to have an if_stats_msg struct as the header.
> All elements of the struct are expected to be 0 except filter_ma
Any data passed in the
> header or as an attribute is taken as a request to influence the data
> returned. Only values supported by the dump handler are allowed to be
> non-0 or set in the request. At the moment only the IFLA_EXT_MASK
> attribute is supported.
>
> Signed-off-by:
FO attributes are supported.
>
> Existing code does not fail the dump if nlmsg_parse fails. That behavior
> is kept for non-strict checking.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/core/rtnetlink.c | 113
> +
dd support for other fields
> (e.g., honor ifa_index and only return data for the given device index).
>
> Signed-off-by: David Ahern
Same as ipv4, looks way cleaner with the new *_strict() helper! :)
Acked-by: Christian Brauner
> ---
> net/ipv6/addrconf.c | 69
> +
an support for other fields
> (e.g., honor ifa_index and only return data for the given device index).
>
> Signed-off-by: David Ahern
Thanks, with the *_strict() it looks way cleaner now.
Acked-by: Christian Brauner
> ---
> net/ipv4/devinet.c | 72
> +++
an potentially be leveraged for tighter
> checking on the NEW, DEL, and SET commands.
>
> Signed-off-by: David Ahern
Thanks for the bool. :)
Acked-by: Christian Brauner
> ---
> include/linux/netlink.h | 1 +
> include/uapi/linux/netlink.h | 1 +
> net/netlink/
actually fails with EINVAL if there are any
> bytes remaining after the parsing loop completes, if the atttrbitue type
> is 0 or greater than max expected.
>
> Signed-off-by: David Ahern
+1
Acked-by: Christian Brauner
> ---
> inclu
On Sun, Oct 07, 2018 at 07:29:13PM -0600, David Ahern wrote:
> On 10/7/18 4:29 AM, Christian Brauner wrote:
> >> I thought about that, but there is so much overlap - they are mostly
> >> common. Besides, ifinfomsg is the header for link dumps, and ifinfomsg
> >> is
d no attributes can
> be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/core/fib_rules.c | 36 +++-
> 1 file changed, 35 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/fib_rules.c b/ne
to be 0 and no
> attributes can be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/ipv6/addrlabel.c | 35 ++-
> 1 file changed, 34 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv6/addrlabel.c b/ne
g struct as the header.
> The struct only has the family member and no attributes can be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/ipv4/devinet.c | 22 +++---
> net/ipv6/addrconf.c | 22 +
On Thu, Oct 04, 2018 at 02:33:50PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update neightbl_dump_info for strict data checking. If the flag is set,
> the dump request is expected to have an ndtmsg struct as the header.
> All elements of the struct are expected to be 0 and no attributes c
On Thu, Oct 04, 2018 at 02:33:49PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update neigh_dump_info for strict data checking. If the flag is set,
> the dump request is expected to have an ndmsg struct as the header
> potentially followed by one or more attributes. Any data passed in the
>
On Thu, Oct 04, 2018 at 02:33:48PM -0700, David Ahern wrote:
> From: David Ahern
>
> Add helper to check netlink message for route dumps. If the strict flag
> is set the dump request is expected to have an rtmsg struct as the header.
> All elements of the struct are expected to be 0 with the exce
to be 0 and no attributes can
> be appended.
>
> Signed-off-by: David Ahern
Just one really tiny nit below. :)
Acked-by: Christian Brauner
> ---
> net/ipv4/ipmr.c | 32
> 1 file changed, 32 insertions(+)
>
> diff --git a/net/ipv4/ipmr.c
On Thu, Oct 04, 2018 at 02:33:45PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update rtnl_stats_dump for strict data checking. If the flag is set,
> the dump request is expected to have an if_stats_msg struct as the header.
> All elements of the struct are expected to be 0 except filter_ma
On Thu, Oct 04, 2018 at 02:33:44PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update rtnl_bridge_getlink for strict data checking. If the flag is set,
> the dump request is expected to have an ifinfomsg struct as the header
> potentially followed by one or more attributes. Any data passed
On Fri, Oct 05, 2018 at 01:22:24PM -0600, David Ahern wrote:
> On 10/5/18 11:59 AM, Christian Brauner wrote:
> >> + err = nlmsg_parse(nlh, hdrlen, tb, IFLA_MAX, ifla_policy, extack);
> >> + if (err < 0) {
> >> + if (cb->strict_check)
&g
On Fri, Oct 05, 2018 at 01:25:22PM -0600, David Ahern wrote:
> On 10/5/18 11:48 AM, Christian Brauner wrote:
> > On Thu, Oct 04, 2018 at 02:33:46PM -0700, David Ahern wrote:
> >> From: David Ahern
> >>
> >> Update inet6_dump_ifinfo for strict data checkin
On Fri, Oct 05, 2018 at 01:26:31PM -0600, David Ahern wrote:
> On 10/5/18 11:54 AM, Christian Brauner wrote:
> >> +static int inet6_valid_dump_ifinfo(const struct nlmsghdr *nlh,
> >> + struct netlink_ext_ack *extack)
> >> +{
On October 5, 2018 8:43:55 PM GMT+02:00, David Ahern wrote:
>On 10/5/18 11:36 AM, Christian Brauner wrote:
>>> diff --git a/include/linux/netlink.h b/include/linux/netlink.h
>>> index 88c8a2d83eb3..36bdca2aa42d 100644
>>> --- a/include/linux/netlink.h
>
On Thu, Oct 04, 2018 at 02:33:41PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update inet_dump_ifaddr for strict data checking. If the flag is set,
> the dump request is expected to have an ifaddrmsg struct as the header
> potentially followed by one or more attributes. Any data passed in
On Thu, Oct 04, 2018 at 02:33:43PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update rtnl_dump_ifinfo for strict data checking. If the flag is set,
> the dump request is expected to have an ifinfomsg struct as the header
> potentially followed by one or more attributes. Any data passed in
On Thu, Oct 04, 2018 at 02:33:46PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update inet6_dump_ifinfo for strict data checking. If the flag is
> set, the dump request is expected to have an ifinfomsg struct as
> the header. All elements of the struct are expected to be 0 and no
> attribut
dd support for other fields
> (e.g., honor ifa_index and only return data for the given device index).
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/ipv6/addrconf.c | 51 ++-
> 1 file changed, 42 insertions(
On Fri, Oct 05, 2018 at 07:48:27PM +0200, Christian Brauner wrote:
> On Thu, Oct 04, 2018 at 02:33:46PM -0700, David Ahern wrote:
> > From: David Ahern
> >
> > Update inet6_dump_ifinfo for strict data checking. If the flag is
> > set, the dump request is expected to
On Thu, Oct 04, 2018 at 02:33:46PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update inet6_dump_ifinfo for strict data checking. If the flag is
> set, the dump request is expected to have an ifinfomsg struct as
> the header. All elements of the struct are expected to be 0 and no
> attribut
may be appended.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/core/net_namespace.c | 8
> 1 file changed, 8 insertions(+)
>
> diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
> index 670c84b1bfc2..63659c512ba8 100644
&
On Thu, Oct 04, 2018 at 02:33:37PM -0700, David Ahern wrote:
> From: David Ahern
>
> Give a user a reason why EINVAL is returned in nlmsg_parse.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> include/net/netlink.h | 4 +++-
> 1 file changed, 3 i
l when
> strict checking is done on dump requests, returning why the dump
> fails EINVAL.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> include/linux/netlink.h | 1 +
> net/netlink/af_netlink.c | 12 +++-
> 2 files changed, 12 insertions(+),
having extack in dump requests sounds really useful to me!
Acked-by: Christian Brauner
> ---
> net/core/devlink.c | 2 +-
> net/core/neighbour.c | 3 ++-
> net/core/rtnetlink.c | 4 ++--
> net/ipv4/devinet.c | 9 +
> net/i
On Thu, Oct 04, 2018 at 02:33:40PM -0700, David Ahern wrote:
> From: David Ahern
>
> Add a new socket option, NETLINK_DUMP_STRICT_CHK, that userspace
> can use via setsockopt to request strict checking of headers and
> attributes on dump requests.
>
> To get dump features such as kernel side fil
On Thu, Oct 04, 2018 at 02:33:55PM -0700, David Ahern wrote:
> From: David Ahern
>
> Update br_mdb_dump for strict data checking. If the flag is set,
> the dump request is expected to have a br_port_msg struct as the
> header. All elements of the struct are expected to be 0 and no
> attributes ca
On Tue, Oct 02, 2018 at 01:06:14PM +0200, Jiri Benc wrote:
> On Mon, 1 Oct 2018 17:28:29 -0700, David Ahern wrote:
> > Add a new flag, NLM_F_DUMP_PROPER_HDR, for userspace to indicate to the
> > kernel that it believes it is sending the right header struct for the
> > dump message type (ifinfomsg,
On Tue, Oct 02, 2018 at 01:07:49PM +0200, Jiri Benc wrote:
> On Tue, 2 Oct 2018 13:03:00 +0200, Christian Brauner wrote:
> > Well, it's a namespace filter that's how I saw it.
>
> That would imply that without it, you get data from all name spaces
> (= unfiltered
On Mon, Oct 01, 2018 at 05:28:27PM -0700, David Ahern wrote:
> From: David Ahern
>
> Pass extack to dump callbacks by adding extack to netlink_dump_control,
> transferring to netlink_callback and adding to the netlink_dump. Update
> rtnetlink as the first user. Update netlink_dump to add any mess
On Tue, Oct 02, 2018 at 12:54:25PM +0200, Jiri Benc wrote:
> On Mon, 1 Oct 2018 17:28:28 -0700, David Ahern wrote:
> > Pull the inet6_fill_args arg up to in6_dump_addrs and move netnsid
> > into it. Since IFA_TARGET_NETNSID is a kernel side filter add the
> > NLM_F_DUMP_FILTERED flag so userspace
On Sat, Sep 29, 2018 at 10:59:20AM -0700, David Ahern wrote:
> From: David Ahern
>
> iproute2 currently uses ifinfomsg as the header for all dumps using the
> wilddump headers. This is wrong as each message type actually has its own
> header type. While the kernel has traditionally let it go as i
On Fri, Sep 28, 2018 at 08:44:57AM -0700, dsah...@kernel.org wrote:
> From: David Ahern
>
> There are many use cases where a user wants to influence what is
> returned in a dump for some rtnetlink command: one is wanting data
> for a different namespace than the one the request is received and
>
est was honored.
>
> Signed-off-by: David Ahern
Acked-by: Christian Brauner
> ---
> net/ipv6/addrconf.c | 59
> +
> 1 file changed, 32 insertions(+), 27 deletions(-)
>
> diff --git a/net/ipv6/addrconf.c b/n
I like the idea of passing down extack.
Acked-by: Christian Brauner
> ---
> include/linux/netlink.h | 2 ++
> net/core/rtnetlink.c | 1 +
> net/netlink/af_netlink.c | 1 +
> 3 files changed, 4 insertions(+)
>
> diff --git a/include/linux/netlink.h b/include/linux/ne
On Fri, Sep 28, 2018 at 08:45:02AM -0700, dsah...@kernel.org wrote:
> From: David Ahern
>
> Update inet6_dump_addr to check for NLM_F_DUMP_PROPER_HDR in the netlink
> message header. If the flag is set, the dump request is expected to have
> an ifaddrmsg struct as the header potentially followed
1 - 100 of 217 matches
Mail list logo
