[lxc-devel] [lxc/master] netns_ifaddrs: support NETLINK_DUMP_STRICT_CHK

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181008/48b6cbbf/attachment.bin>
-------------- next part --------------
From 8df6fa99bf2960014c9d53a5ec9b12270ba2ab6a Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 8 Oct 2018 20:55:55 +0200
Subject: [PATCH 1/3] macro: add NETLINK_DUMP_STRICT_CHK

This adds support for the new socket option, NETLINK_DUMP_STRICT_CHK,
that userspace can use via setsockopt to request strict checking of
headers and attributes on dump requests.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/macro.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 6b6b5f794..844cc2c3c 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -239,6 +239,10 @@ extern int __build_bug_on_failed;
 #define prctl_arg(x) ((unsigned long)x)
 
 /* networking */
+#ifndef NETLINK_DUMP_STRICT_CHK
+#define NETLINK_DUMP_STRICT_CHK 12
+#endif
+
 #ifndef IFLA_LINKMODE
 #define IFLA_LINKMODE 17
 #endif

From d38f5b17b716667bb5edb0b306f4caca7c1029b5 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 8 Oct 2018 21:10:29 +0200
Subject: [PATCH 2/3] macro: add SOL_NETLINK

This allows to set netlink socket properties.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/macro.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 844cc2c3c..4ce613c52 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -243,6 +243,10 @@ extern int __build_bug_on_failed;
 #define NETLINK_DUMP_STRICT_CHK 12
 #endif
 
+#ifndef SOL_NETLINK
+#define SOL_NETLINK 270
+#endif
+
 #ifndef IFLA_LINKMODE
 #define IFLA_LINKMODE 17
 #endif

From c6b647205d5cd56f24f6e4189d607dd0e80f3960 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 8 Oct 2018 21:08:10 +0200
Subject: [PATCH 3/3] netns_ifaddrs: check for NETLINK_DUMP_STRICT_CHK

Make use of the new socket option, NETLINK_DUMP_STRICT_CHK, that
userspace can use via setsockopt to request strict checking of headers
and attributes on dump requests.

To get dump features such as kernel side filtering based on data in
the header or attributes appended to the dump request, userspace
must call setsockopt() for NETLINK_DUMP_STRICT_CHK and a non-zero
value. This is necessary to make use of the IFA_TARGET_NETNSID property.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/include/netns_ifaddrs.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/include/netns_ifaddrs.c b/src/include/netns_ifaddrs.c
index cc672a7fd..fc0ffc167 100644
--- a/src/include/netns_ifaddrs.c
+++ b/src/include/netns_ifaddrs.c
@@ -477,6 +477,14 @@ static int __rtnl_enumerate(int link_af, int addr_af, __s32 netns_id,
 	if (fd < 0)
 		return -1;
 
+	r = setsockopt(fd, SOL_NETLINK, NETLINK_DUMP_STRICT_CHK, &(int){1},
+		       sizeof(int));
+	if (r < 0 && netns_id >= 0) {
+		close(fd);
+		*netnsid_aware = false;
+		return -1;
+	}
+
 	r = __ifaddrs_netlink_recv(fd, 1, RTM_GETLINK, link_af, netns_id,
 				   &getlink_netnsid_aware, cb, ctx);
 	if (!r)