Patchwork libmnl: Add filtering support to library as a convienience

login
register
mail settings
Submitter Neil Horman
Date March 26, 2013, 2:20 p.m.
Message ID <1364307643-21747-1-git-send-email-nhorman@tuxdriver.com>
Download mbox | patch
Permalink /patch/231230/
State Not Applicable
Headers show

Comments

Neil Horman - March 26, 2013, 2:20 p.m.
Theres been recent discussion about detecting and discarding unwanted netlink
messages in libmnl, so that we can avoid having applications get spoofed by user
space processes sending messages with malformed netlink headers.  Commonly
applications want to be able to only receive messages from the kernel, but
libmnl currently doesn't offer a mechanism to do that.  This patch adds such a
mechanism.  It creates a function mnl_socket_recvfrom_filter, that adds an
extra function pointer parameter which is used to interrogate recieved frames
and filter them based on a desired criteria.  It also adds a convieninece
function mnl_recvfrom_filter_user which can be passed as the filter agrument in
mnl_socket_recvfrom_filter, so as to prevent individual applications from
re-inventing the wheel over and over again.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Pablo Neira Ayuso <pablo@netfilter.org>
CC: Florian Weimer <fweimer@redhat.com>
CC: Hushan Jia <hushan.jia@gmail.com>
---
 include/libmnl/libmnl.h |  3 ++
 src/libmnl.map          |  6 ++++
 src/socket.c            | 84 ++++++++++++++++++++++++++++++++++++++++++-------
 3 files changed, 82 insertions(+), 11 deletions(-)
Pablo Neira - March 26, 2013, 8:50 p.m.
Hi Neil,

On Tue, Mar 26, 2013 at 10:20:43AM -0400, Neil Horman wrote:
> Theres been recent discussion about detecting and discarding unwanted netlink
> messages in libmnl, so that we can avoid having applications get spoofed by user
> space processes sending messages with malformed netlink headers.  Commonly
> applications want to be able to only receive messages from the kernel, but
> libmnl currently doesn't offer a mechanism to do that.  This patch adds such a
> mechanism.  It creates a function mnl_socket_recvfrom_filter, that adds an
> extra function pointer parameter which is used to interrogate recieved frames
> and filter them based on a desired criteria.  It also adds a convieninece
> function mnl_recvfrom_filter_user which can be passed as the filter agrument in
> mnl_socket_recvfrom_filter, so as to prevent individual applications from
> re-inventing the wheel over and over again.

I remember that report from Florian. After some discussion, I proposed
this solution:

commit 20e1db19db5d6b9e4e83021595eab0dc8f107bef
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Aug 23 02:09:11 2012 +0000

    netlink: fix possible spoofing from non-root processes

Basically, it disables netlink-to-netlink communications between
non-root processes (with the exception of NETLINK_USERSOCK), so
non-root processes cannot spoof messages anymore.

Regards.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Neil Horman - March 27, 2013, 12:55 p.m.
On Tue, Mar 26, 2013 at 09:50:28PM +0100, Pablo Neira Ayuso wrote:
> Hi Neil,
> 
> On Tue, Mar 26, 2013 at 10:20:43AM -0400, Neil Horman wrote:
> > Theres been recent discussion about detecting and discarding unwanted netlink
> > messages in libmnl, so that we can avoid having applications get spoofed by user
> > space processes sending messages with malformed netlink headers.  Commonly
> > applications want to be able to only receive messages from the kernel, but
> > libmnl currently doesn't offer a mechanism to do that.  This patch adds such a
> > mechanism.  It creates a function mnl_socket_recvfrom_filter, that adds an
> > extra function pointer parameter which is used to interrogate recieved frames
> > and filter them based on a desired criteria.  It also adds a convieninece
> > function mnl_recvfrom_filter_user which can be passed as the filter agrument in
> > mnl_socket_recvfrom_filter, so as to prevent individual applications from
> > re-inventing the wheel over and over again.
> 
> I remember that report from Florian. After some discussion, I proposed
> this solution:
> 
> commit 20e1db19db5d6b9e4e83021595eab0dc8f107bef
> Author: Pablo Neira Ayuso <pablo@netfilter.org>
> Date:   Thu Aug 23 02:09:11 2012 +0000
> 
>     netlink: fix possible spoofing from non-root processes
> 
> Basically, it disables netlink-to-netlink communications between
> non-root processes (with the exception of NETLINK_USERSOCK), so
> non-root processes cannot spoof messages anymore.
> 
> Regards.
> 
Ah, thank you pablo, wish Florian or I had seen this previously.

Regards
Neil

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/include/libmnl/libmnl.h b/include/libmnl/libmnl.h
index a647fd9..2375d25 100644
--- a/include/libmnl/libmnl.h
+++ b/include/libmnl/libmnl.h
@@ -33,6 +33,9 @@  extern int mnl_socket_get_fd(const struct mnl_socket *nl);
 extern unsigned int mnl_socket_get_portid(const struct mnl_socket *nl);
 extern ssize_t mnl_socket_sendto(const struct mnl_socket *nl, const void *req, size_t siz);
 extern ssize_t mnl_socket_recvfrom(const struct mnl_socket *nl, void *buf, size_t siz);
+extern ssize_t mnl_socket_recvfrom_filter(const struct mnl_socket *nl, void *buf, size_t size,
+					  int(*filter)(const struct mnl_socket *, struct msghdr*));
+extern int mnl_recvfrom_filter_user(const struct mnl_socket*, struct msghdr*);
 extern int mnl_socket_setsockopt(const struct mnl_socket *nl, int type, void *buf, socklen_t len);
 extern int mnl_socket_getsockopt(const struct mnl_socket *nl, int type, void *buf, socklen_t *len);
 
diff --git a/src/libmnl.map b/src/libmnl.map
index dbc332e..ad7dc3d 100644
--- a/src/libmnl.map
+++ b/src/libmnl.map
@@ -72,3 +72,9 @@  local: *;
 LIBMNL_1.1 {
   mnl_attr_parse_payload;
 } LIBMNL_1.0;
+
+
+LIBMNL_1.2 {
+  mnl_socket_recvfrom_filter;
+  mnl_recvfrom_filter_user;
+};
diff --git a/src/socket.c b/src/socket.c
index 6d54563..767eaeb 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -188,6 +188,26 @@  mnl_socket_sendto(const struct mnl_socket *nl, const void *buf, size_t len)
 }
 EXPORT_SYMBOL(mnl_socket_sendto);
 
+static ssize_t
+__mnl_socket_recvfrom(const struct mnl_socket *nl, struct msghdr *msg)
+{
+	ssize_t ret;
+
+	ret = recvmsg(nl->fd, msg, 0);
+	if (ret == -1)
+		return ret;
+
+	if (msg->msg_flags & MSG_TRUNC) {
+		errno = ENOSPC;
+		return -1;
+	}
+	if (msg->msg_namelen != sizeof(struct sockaddr_nl)) {
+		errno = EINVAL;
+		return -1;
+	}
+	return ret;
+}
+
 /**
  * mnl_socket_recvfrom - receive a netlink message
  * \param nl netlink socket obtained via mnl_socket_open()
@@ -205,6 +225,34 @@  EXPORT_SYMBOL(mnl_socket_sendto);
 ssize_t
 mnl_socket_recvfrom(const struct mnl_socket *nl, void *buf, size_t bufsiz)
 {
+	return mnl_socket_recvfrom_filter(nl, buf, bufsiz, NULL);
+}
+EXPORT_SYMBOL(mnl_socket_recvfrom);
+
+/**
+ * mnl_socket_recvfrom_filter - receive a netlink message after filtering
+ * \param nl netlink socket obtained via mnl_socket_open()
+ * \param buf buffer that you want to use to store the netlink message
+ * \param bufsiz size of the buffer passed to store the netlink message
+ * \param filter function pointer to method to filter messages
+ *
+ * On error, it returns -1 and errno is appropriately set. If errno is set
+ * to ENOSPC, it means that the buffer that you have passed to store the
+ * netlink message is too small, so you have received a truncated message.
+ * To avoid this, you have to allocate a buffer of MNL_SOCKET_BUFFER_SIZE
+ * (which is 8KB, see linux/netlink.h for more information). Using this
+ * buffer size ensures that your buffer is big enough to store the netlink
+ * message without truncating it. For every frame that is successfully received
+ * the filter function is called (if set), a negative return from the filter
+ * function causes the message to be discarded, and the filter error code is
+ * returned to the caller of mnl_socket_recvfrom_filter.  A zero return code
+ * from the filter function returns the message to the caller. 
+ * 
+ */
+ssize_t
+mnl_socket_recvfrom_filter(const struct mnl_socket *nl, void *buf, size_t bufsiz,
+			   int(*filter)(const struct mnl_socket*, struct msghdr*))
+{
 	ssize_t ret;
 	struct sockaddr_nl addr;
 	struct iovec iov = {
@@ -220,21 +268,35 @@  mnl_socket_recvfrom(const struct mnl_socket *nl, void *buf, size_t bufsiz)
 		.msg_controllen	= 0,
 		.msg_flags	= 0,
 	};
-	ret = recvmsg(nl->fd, &msg, 0);
+retry:
+	ret = __mnl_socket_recvfrom(nl, &msg);
 	if (ret == -1)
 		return ret;
-
-	if (msg.msg_flags & MSG_TRUNC) {
-		errno = ENOSPC;
-		return -1;
-	}
-	if (msg.msg_namelen != sizeof(struct sockaddr_nl)) {
-		errno = EINVAL;
-		return -1;
-	}
+	if (filter)
+		ret = filter(nl, &msg);
 	return ret;
 }
-EXPORT_SYMBOL(mnl_socket_recvfrom);
+EXPORT_SYMBOL(mnl_socket_recvfrom_filter);
+
+/**
+ * mnl_recvfrom_filter_user - helper function to filter user messages
+ * \param nl netlink socket that a message was received on
+ * \param msg - pointer to the msghdr of the received message
+ *
+ * This function is meant to be passed as the filter argument to
+ * mnl_socket_recvfrom_filter.  It is a convienience function to automatically 
+ * filter out messages originating from user space hosts. 
+ *
+ * returns zero, if the message originated from the kernel
+ * returns non-zero if the message did not originate from the kernel
+ */
+int mnl_recvfrom_filter_user(const struct mnl_socket *nl, struct msghdr *msg)
+{
+	struct sockaddr_nl *addr = msg->msg_name;
+
+	return (addr->nl_pid == 0) ? 0 : -1;
+}
+EXPORT_SYMBOL(mnl_recvfrom_filter_user);
 
 /**
  * mnl_socket_close - close a given netlink socket