rtnetlink: add restricted rtnl groups for ipv4 and ipv6 mroute

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add RTNLGRP_{IPV4,IPV6}_MROUTE_R as two new restricted groups for the
NETLINK_ROUTE family.
Binding to these groups specifically requires CAP_NET_ADMIN to allow
multicast of sensitive messages (e.g. mroute cache reports).

Suggested-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: Julien Gomes <julien@arista.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Julien Gomes and committed by

David S. Miller 8 years ago 5f729eaa 94df30a6

+17

2 changed files

expand all

include

uapi

linux

rtnetlink.h

net

core

rtnetlink.c

include/uapi/linux/rtnetlink.h

··· 669 669 #define RTNLGRP_NSID RTNLGRP_NSID 670 670 RTNLGRP_MPLS_NETCONF, 671 671 #define RTNLGRP_MPLS_NETCONF RTNLGRP_MPLS_NETCONF 672 + RTNLGRP_IPV4_MROUTE_R, 673 + #define RTNLGRP_IPV4_MROUTE_R RTNLGRP_IPV4_MROUTE_R 674 + RTNLGRP_IPV6_MROUTE_R, 675 + #define RTNLGRP_IPV6_MROUTE_R RTNLGRP_IPV6_MROUTE_R 672 676 __RTNLGRP_MAX 673 677 }; 674 678 #define RTNLGRP_MAX (__RTNLGRP_MAX - 1)

+13

net/core/rtnetlink.c

··· 4218 4218 rtnl_unlock(); 4219 4219 } 4220 4220 4221 + static int rtnetlink_bind(struct net *net, int group) 4222 + { 4223 + switch (group) { 4224 + case RTNLGRP_IPV4_MROUTE_R: 4225 + case RTNLGRP_IPV6_MROUTE_R: 4226 + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) 4227 + return -EPERM; 4228 + break; 4229 + } 4230 + return 0; 4231 + } 4232 + 4221 4233 static int rtnetlink_event(struct notifier_block *this, unsigned long event, void *ptr) 4222 4234 { 4223 4235 struct net_device *dev = netdev_notifier_info_to_dev(ptr); ··· 4264 4252 .input = rtnetlink_rcv, 4265 4253 .cb_mutex = &rtnl_mutex, 4266 4254 .flags = NL_CFG_F_NONROOT_RECV, 4255 + .bind = rtnetlink_bind, 4267 4256 }; 4268 4257 4269 4258 sk = netlink_kernel_create(net, NETLINK_ROUTE, &cfg);