Commits
Evgeny Kravtsunov authored and Pavel Emelianov committed 7016a8463ca
When creating socket within VE the following ones are allowed: ----------------------------------------------------------------------------------- family | type | protocol --------------------------------------------------------------------------------- PF_UNIX | | PF_LOCAL | | PF_PACKET | Any existing* | Any existing PF_NETLINK | | --------------------------------------------------------------------------------- PF_INET | SOCK_DGRAM + IPPROTO_UDP | SOCK_STREAM + IPPROTO_TCP | SOCK_RAW + Any | | forced to | | IPPROTO_IP --------------------------------------------------------------------------------- PF_INET6 | SOCK_DGRAM + IPPROTO_UDP | SOCK_STREAM + IPPROTO_TCP | SOCK_RAW + Any | | forced to | | IPPROTO_IP -------------------------------------------------------------------------------- * Here "any existing" means that only SOCK_RAW and SOCK_DGRAM will work: other ones will be rejected by corresponding ->create function (for.ex. netlink_create). And this reject is ok, as it is not bug provoking. Other families (PF_IPX, PF_X25, PF_AX25, PF_ATMPVC, PF_APPLETALK) are not allowed for sockets within VE as they are not virtualized. The problem is function vz_security_proto_check prevents creating sockets with family=PF_INET/PF_INET6 type=SOCK_RAW protocol=(something except IP, UDP, TCP, ICMP, RAW) which are valid according to source. Patch splits vz_security_proto_check into 2 separate checks: 1) family check vz_security_family_check and 2) protocol check vz_security_protocol_check. First one checks is the family value allowed in __sock_create, second one - checks if created socket contains the correct (virtualized) protocol. vz_security_protocol_check is placed inside create functions inet_create and inet6_create. This change will allow to create any socket within VE with type SOCK_RAW for any protocol that is not implemented in kernel and encapsulates its packets into IP packet (for example VRRP protocol). In rtnetlink_dump_all and rtnetlink_rcv_msg functions calls of vz_security_proto_check are replaced by the call of vz_security_family_check. Patch implements default deny security policy. http://bugzilla.openvz.org/show_bug.cgi?id=611