Commit 5f729eaa authored by Julien Gomes's avatar Julien Gomes Committed by David S. Miller
Browse files

rtnetlink: add restricted rtnl groups for ipv4 and ipv6 mroute 



Add RTNLGRP_{IPV4,IPV6}_MROUTE_R as two new restricted groups for the
NETLINK_ROUTE family.
Binding to these groups specifically requires CAP_NET_ADMIN to allow
multicast of sensitive messages (e.g. mroute cache reports).

Suggested-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: default avatarJulien Gomes <julien@arista.com>
Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 94df30a6

include/uapi/linux/rtnetlink.h

+4 −0
Original line number Diff line number Diff line
@@ -669,6 +669,10 @@ enum rtnetlink_groups { 
#define RTNLGRP_NSID		RTNLGRP_NSID

	RTNLGRP_MPLS_NETCONF,

#define RTNLGRP_MPLS_NETCONF	RTNLGRP_MPLS_NETCONF

	RTNLGRP_IPV4_MROUTE_R,

#define RTNLGRP_IPV4_MROUTE_R	RTNLGRP_IPV4_MROUTE_R

	RTNLGRP_IPV6_MROUTE_R,

#define RTNLGRP_IPV6_MROUTE_R	RTNLGRP_IPV6_MROUTE_R

	__RTNLGRP_MAX

};

#define RTNLGRP_MAX	(__RTNLGRP_MAX - 1)

net/core/rtnetlink.c

+13 −0
Original line number Diff line number Diff line
@@ -4218,6 +4218,18 @@ static void rtnetlink_rcv(struct sk_buff *skb) 
	rtnl_unlock();

}



static int rtnetlink_bind(struct net *net, int group)

{

	switch (group) {

	case RTNLGRP_IPV4_MROUTE_R:

	case RTNLGRP_IPV6_MROUTE_R:

		if (!ns_capable(net->user_ns, CAP_NET_ADMIN))

			return -EPERM;

		break;

	}

	return 0;

}



static int rtnetlink_event(struct notifier_block *this, unsigned long event, void *ptr)

{

	struct net_device *dev = netdev_notifier_info_to_dev(ptr);
@@ -4252,6 +4264,7 @@ static int __net_init rtnetlink_net_init(struct net *net) 
		.input		= rtnetlink_rcv,

		.cb_mutex	= &rtnl_mutex,

		.flags		= NL_CFG_F_NONROOT_RECV,

		.bind		= rtnetlink_bind,

	};



	sk = netlink_kernel_create(net, NETLINK_ROUTE, &cfg);

CRA Git | Maintained and supported by SUSTech CRA and CCSE