From patchwork Mon Oct 14 17:37:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1176566 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="GzHLEjNm"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46sR4Q51QLz9sP4 for ; Tue, 15 Oct 2019 04:53:26 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id C2DF22767; Mon, 14 Oct 2019 17:49:56 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1C04E2759 for ; Mon, 14 Oct 2019 17:49:55 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 680DE89D for ; Mon, 14 Oct 2019 17:49:54 +0000 (UTC) Received: by mail-pf1-f193.google.com with SMTP id y22so10803667pfr.3 for ; Mon, 14 Oct 2019 10:49:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=h+7NZlLw0aMjGM+CWMhlcIYgMjBU533Tk13johcZn4A=; b=GzHLEjNmGfKjz1MqxkZ9wyHSeEfznJubucCUtMwiDHBtzdy4ODDiLOuPiSDqL3tqLw 0bIIMFCKPTNa/8ZWCitNbwTz5/mc9npFKaa+DKPQmfZZarACjEnWGOesY8OCRSPMfrWM BjTxIxH063DR1ppHC1tev7jLUxCRqukykgYbLwZgt28sPCcQZXLgUXwl3cSK1rkBBLlb x85ktQMHVjWU4vPiOGsBqmURCuZNTgr/5Iai932dL1OQ+esqbW2So/vE9Q0m/0BiSMm9 TSNsBm0A7Rh6btDT+sFOyejwDWrabQ5c2yFhvKijHqsvqlg4YCefMEAxXL3nKVHiWazz xlOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=h+7NZlLw0aMjGM+CWMhlcIYgMjBU533Tk13johcZn4A=; b=UrAWI5jCmbJD30IUZd0ZCFcK56gyjo7I/Ezx9Cv7aNvKweb2l6Te5MoZTkqPc9r+8R jnFgwTY5Qxdt59YmhYlzfEvb1gtrPgznr175xxB+9j4p/zbjaBMnrI6OfYhA7nh4lsb5 XnV6ooXWRBSlHjlP7JwUIeMiSBKs1QjT4hyWaGVDFjr1K1rhklefbqaK4ZMuEpBhPSvY LYwXPEcIvrbNvMsmzdfJvJ2v4L7jgxXM0i0iHoHg+VzC2v3akaf9W4vB3KmrPXKi02cE oKbGb404eUI7Nvt48V1W56PcSDtdjJbH3Ohe5XbPW8j818ysOK/Ow4SF4J+PasFOwpFi YiDA== X-Gm-Message-State: APjAAAXE+W8M4QZdfJjpXwAu4Mk/EsaYrQOZaTvfzYLTLU/obOakbeGL cdzap6sObyXDNQilEKKh8h5Rxiloclg= X-Google-Smtp-Source: APXvYqyeIyHuhfAVLMDo61hMaoUOXN0+nZbbENwD4ZSPJmoOdDaepCFgX6X8yHtZnlBjWGDE8NKbkQ== X-Received: by 2002:a62:b405:: with SMTP id h5mr34349567pfn.234.1571075393467; Mon, 14 Oct 2019 10:49:53 -0700 (PDT) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id n23sm16849700pff.137.2019.10.14.10.49.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Oct 2019 10:49:52 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Mon, 14 Oct 2019 10:37:46 -0700 Message-Id: <1571074671-31834-7-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> References: <1571074671-31834-1-git-send-email-yihung.wei@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 06/11] datapath: genetlink: optionally validate strictly/dumps X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch backports the following upstream commit within the openvswitch kernel module with some checks so that it also works in the older kernel. Upstream commit: commit ef6243acb4782df587a4d7d6c310fa5b5d82684b Author: Johannes Berg Date: Fri Apr 26 14:07:31 2019 +0200 genetlink: optionally validate strictly/dumps Add options to strictly validate messages and dump messages, sometimes perhaps validating dump messages non-strictly may be required, so add an option for that as well. Since none of this can really be applied to existing commands, set the options everwhere using the following spatch: @@ identifier ops; expression X; @@ struct genl_ops ops[] = { ..., { .cmd = X, + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, ... }, ... }; For new commands one should just not copy the .validate 'opt-out' flags and thus get strict validation. Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Yi-Hung Wei Reviewed-by: Yifeng Sun --- acinclude.m4 | 1 + datapath/conntrack.c | 9 +++++++++ datapath/datapath.c | 39 +++++++++++++++++++++++++++++++++++++++ datapath/meter.c | 12 ++++++++++++ 4 files changed, 61 insertions(+) diff --git a/acinclude.m4 b/acinclude.m4 index fe121ab9126d..055f5387db19 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -817,6 +817,7 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ OVS_GREP_IFELSE([$KSRC/include/net/genetlink.h], [genlmsg_parse]) OVS_GREP_IFELSE([$KSRC/include/net/genetlink.h], [genl_notify.*family], [OVS_DEFINE([HAVE_GENL_NOTIFY_TAKES_FAMILY])]) + OVS_GREP_IFELSE([$KSRC/include/net/genetlink.h], [genl_validate_flags]) OVS_FIND_PARAM_IFELSE([$KSRC/include/net/genetlink.h], [genl_notify], [net], [OVS_DEFINE([HAVE_GENL_NOTIFY_TAKES_NET])]) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index b11a30965147..0c0d43bec2e5 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -2283,18 +2283,27 @@ exit_err: static struct genl_ops ct_limit_genl_ops[] = { { .cmd = OVS_CT_LIMIT_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN * privilege. */ .policy = ct_limit_policy, .doit = ovs_ct_limit_cmd_set, }, { .cmd = OVS_CT_LIMIT_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN * privilege. */ .policy = ct_limit_policy, .doit = ovs_ct_limit_cmd_del, }, { .cmd = OVS_CT_LIMIT_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = ct_limit_policy, .doit = ovs_ct_limit_cmd_get, diff --git a/datapath/datapath.c b/datapath/datapath.c index 78e2e6310529..f4244ea09869 100644 --- a/datapath/datapath.c +++ b/datapath/datapath.c @@ -652,6 +652,9 @@ static const struct nla_policy packet_policy[OVS_PACKET_ATTR_MAX + 1] = { static struct genl_ops dp_packet_genl_ops[] = { { .cmd = OVS_PACKET_CMD_EXECUTE, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = packet_policy, .doit = ovs_packet_cmd_execute @@ -1440,22 +1443,34 @@ static const struct nla_policy flow_policy[OVS_FLOW_ATTR_MAX + 1] = { static struct genl_ops dp_flow_genl_ops[] = { { .cmd = OVS_FLOW_CMD_NEW, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = flow_policy, .doit = ovs_flow_cmd_new }, { .cmd = OVS_FLOW_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = flow_policy, .doit = ovs_flow_cmd_del }, { .cmd = OVS_FLOW_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = flow_policy, .doit = ovs_flow_cmd_get, .dumpit = ovs_flow_cmd_dump }, { .cmd = OVS_FLOW_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = flow_policy, .doit = ovs_flow_cmd_set, @@ -1832,22 +1847,34 @@ static const struct nla_policy datapath_policy[OVS_DP_ATTR_MAX + 1] = { static struct genl_ops dp_datapath_genl_ops[] = { { .cmd = OVS_DP_CMD_NEW, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = datapath_policy, .doit = ovs_dp_cmd_new }, { .cmd = OVS_DP_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = datapath_policy, .doit = ovs_dp_cmd_del }, { .cmd = OVS_DP_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = datapath_policy, .doit = ovs_dp_cmd_get, .dumpit = ovs_dp_cmd_dump }, { .cmd = OVS_DP_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = datapath_policy, .doit = ovs_dp_cmd_set, @@ -2277,22 +2304,34 @@ static const struct nla_policy vport_policy[OVS_VPORT_ATTR_MAX + 1] = { static struct genl_ops dp_vport_genl_ops[] = { { .cmd = OVS_VPORT_CMD_NEW, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = vport_policy, .doit = ovs_vport_cmd_new }, { .cmd = OVS_VPORT_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = vport_policy, .doit = ovs_vport_cmd_del }, { .cmd = OVS_VPORT_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = vport_policy, .doit = ovs_vport_cmd_get, .dumpit = ovs_vport_cmd_dump }, { .cmd = OVS_VPORT_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN privilege. */ .policy = vport_policy, .doit = ovs_vport_cmd_set, diff --git a/datapath/meter.c b/datapath/meter.c index b0a92891c7c0..7d8f51a8fcd1 100644 --- a/datapath/meter.c +++ b/datapath/meter.c @@ -538,11 +538,17 @@ bool ovs_meter_execute(struct datapath *dp, struct sk_buff *skb, static struct genl_ops dp_meter_genl_ops[] = { { .cmd = OVS_METER_CMD_FEATURES, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = meter_policy, .doit = ovs_meter_cmd_features }, { .cmd = OVS_METER_CMD_SET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN * privilege. */ @@ -550,11 +556,17 @@ static struct genl_ops dp_meter_genl_ops[] = { .doit = ovs_meter_cmd_set, }, { .cmd = OVS_METER_CMD_GET, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = 0, /* OK for unprivileged users. */ .policy = meter_policy, .doit = ovs_meter_cmd_get, }, { .cmd = OVS_METER_CMD_DEL, +#ifdef HAVE_GENL_VALIDATE_FLAGS + .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, +#endif .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN * privilege. */