From patchwork Fri Nov 22 07:21:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Maciej_=C5=BBenczykowski?=
 <zenczykowski@gmail.com>
X-Patchwork-Id: 1199313
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67;
	helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="ovRv4ml4"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 47K7By55zgz9sPV
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 22 Nov 2019 18:21:14 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726634AbfKVHVN (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 22 Nov 2019 02:21:13 -0500
Received: from mail-pl1-f196.google.com ([209.85.214.196]:46602 "EHLO
	mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726018AbfKVHVN (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 22 Nov 2019 02:21:13 -0500
Received: by mail-pl1-f196.google.com with SMTP id l4so2725961plt.13
	for <netdev@vger.kernel.org>; Thu, 21 Nov 2019 23:21:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=2j+Nl5eydyadowIGl0ZeHhCaPa3c/yGy4IMLcjDXYfY=;
	b=ovRv4ml4kbzpb/vYiIGR57OFG+TsoT5/aOUf66YLXKTDRXRsb3ORx2D2/tRHLDAOV0
	qKjpeAICf0E8VDdgMikt/ZfJmNHvXR3m+bESEENbeCG6qlkvQ3g2A6qjPkT+Zp7luraq
	SY/80ai0aMNsEbvGsBDCfZxMHx+p7/sJdOy00FSn9Qws1KcyuyRTTfx9+0FAvUOWmlzC
	PCSuypfcVFIs30qBQ+MnSqPX7qTxqVMzrCCSc7sFEokGhVixwLlhAlJQVNabd2HCYDzl
	+U59JuHrYioHvFLCQzKkkOwDYMUhYDwER4acs+sKpvEGGutzi89sagp0ap0UQFaobV3y
	tG4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=2j+Nl5eydyadowIGl0ZeHhCaPa3c/yGy4IMLcjDXYfY=;
	b=AeZ2yPLk7VOXXPSDxjB+dVURqSIr+E8WhOkkILZs/d06mM+t9VHaCpimoPcDvlxcBf
	ukyoZzs6YFsGxtPz4IClZQWTLmOyA/Lm6Bgvlrw5344Kc+PJ4brKT23IQXeBCKmG/F3o
	CjtT4btUSFks8yNs1DVfTIRoQMvpl4zY3bcT3Mq5TAzDGz73Np/7bjmcKDVKphWI7ZHR
	iSZPWUl6xRqlFajpUdpH/E7OPpPtwC+w9VBYBtYodUWOU6pqfwv/Uuk1iNx4eVsr6LK5
	VEa7EkBAuny+hyJ5nb8rhEZ+XrXVlNav7bCNubeY+V8hyJTR3nKZiGWMxw1kweKYyI0O
	Kdng==
X-Gm-Message-State: APjAAAWgtKAQgmwlZGFJIBU13Lfv83hGn86DzHYwqXzpHTS46g56vTL+
	AQOI6FYi0HjTsBRuzh92WDw=
X-Google-Smtp-Source: 
 APXvYqxjJoI5u5pAUGWlvlOxZY07ZOuc4Qu1/qEnB0SpUOGoJ41b4yDNw+j/fFnvUU4Vt0Vb+f1Sjg==
X-Received: by 2002:a17:902:d717:: with SMTP id
	w23mr12346027ply.142.1574407272588;
	Thu, 21 Nov 2019 23:21:12 -0800 (PST)
Received: from athina.mtv.corp.google.com
	([2620:15c:211:0:c786:d9fd:ab91:6283])
	by smtp.gmail.com with ESMTPSA id
	s2sm5310646pgv.48.2019.11.21.23.21.11
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Thu, 21 Nov 2019 23:21:11 -0800 (PST)
From: =?utf-8?q?Maciej_=C5=BBenczykowski?= <zenczykowski@gmail.com>
To: =?utf-8?q?Maciej_=C5=BBenczykowski?= <maze@google.com>,
	"David S . Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>
Subject: [PATCH 1/3] net: inet_is_local_reserved_port() should return bool
	not int
Date: Thu, 21 Nov 2019 23:21:00 -0800
Message-Id: <20191122072102.248636-1-zenczykowski@gmail.com>
X-Mailer: git-send-email 2.24.0.432.g9d3f5f5b63-goog
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Maciej Żenczykowski <maze@google.com>

Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/net/ip.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/ip.h b/include/net/ip.h
index a2c61c36dc4a..cebf3e10def1 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -339,10 +339,10 @@ static inline u64 snmp_fold_field64(void __percpu *mib, int offt, size_t syncp_o
 void inet_get_local_port_range(struct net *net, int *low, int *high);
 
 #ifdef CONFIG_SYSCTL
-static inline int inet_is_local_reserved_port(struct net *net, int port)
+static inline bool inet_is_local_reserved_port(struct net *net, int port)
 {
 	if (!net->ipv4.sysctl_local_reserved_ports)
-		return 0;
+		return false;
 	return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
 }
 
@@ -357,9 +357,9 @@ static inline int inet_prot_sock(struct net *net)
 }
 
 #else
-static inline int inet_is_local_reserved_port(struct net *net, int port)
+static inline bool inet_is_local_reserved_port(struct net *net, int port)
 {
-	return 0;
+	return false;
 }
 
 static inline int inet_prot_sock(struct net *net)

From patchwork Fri Nov 22 07:21:01 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Maciej_=C5=BBenczykowski?=
 <zenczykowski@gmail.com>
X-Patchwork-Id: 1199314
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67;
	helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="P8Af7nFV"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 47K7C16TRDz9sPV
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 22 Nov 2019 18:21:17 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726712AbfKVHVQ (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 22 Nov 2019 02:21:16 -0500
Received: from mail-pj1-f65.google.com ([209.85.216.65]:39018 "EHLO
	mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726018AbfKVHVQ (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 22 Nov 2019 02:21:16 -0500
Received: by mail-pj1-f65.google.com with SMTP id t103so2674493pjb.6
	for <netdev@vger.kernel.org>; Thu, 21 Nov 2019 23:21:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=W9+x0OpwzCkV18oZng5HsypBV+hny4MGuCuTzOBLnkY=;
	b=P8Af7nFVQIqtfcmCtuakeps61XOlEtiXhqaqzz6JHSOW5vBq81Wo/GgfwsxhM5I6qM
	v5BDbrPZXuMZXErQR4a2gN4TC/Z8OD1gt+4L99r9SBonUT3QcOA/3uBelGeAtdC2nbpb
	AwISTazhZi7RABvI8nlrKbdRUgnf5oJszDPmXyrZKu3iLC3IVFFSourGst3pMNrhBX7g
	abxO7n5DtP5Gly/ChwqI0iVk1WgZcEwiVWTdvmWxrzoMQ+xzA7LhXpa6jBsODtlXNLyl
	slbSLu8R0SP8GUovh5gY/8IiwWml6a610MPjUt87Lb6PWq2S5iMthKS/5pJlYtz81A1z
	MiuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=W9+x0OpwzCkV18oZng5HsypBV+hny4MGuCuTzOBLnkY=;
	b=KV809SInQXy+3RIEcdP4YaZYBAwEj6p2JZhwH8ZBwSLn0zHV/wxaob++mN/Pnl25hb
	AK0Il9DIbgAzS3VqjfH/6jMBGeLw38Mvzbi/BaDOaMqGj2hhF83z8lQCmiMQ8tjaEm1T
	WmdFlvy/7vqjqCyoCDJ9L+s6F29X1wMF6T6WI9VgzfyF4kgLnjuQb2EcwgeTKU+Iveiy
	CXv19+8UF5FvO1IbkK8WpCz98L3WmKpDb9g3IokPkhUZ9TBkxO618h5gHm1aHQ6YCObL
	52rXXIzngUpJcFNoXdKnUwVpMdRAx4NgHNKdkrum7A9g9x6ISX5xo5WIy7svDKoFcJpj
	fGiw==
X-Gm-Message-State: APjAAAX5/Bxsy8Qm8dwEh9qCgfbTldkRqqYh7HqY/sWqCJbdxm/VMwhM
	iQJCFtObZ6R0Gp7dQR1Hr44=
X-Google-Smtp-Source: 
 APXvYqxFg5I4KeEuwoaBlA3/gOKfXxhGNnuVJtCbAfkzdRkgnx0GTRMz0Ai5/2hcm03RjbVh3tgf+Q==
X-Received: by 2002:a17:902:8502:: with SMTP id
	bj2mr13090402plb.303.1574407275422;
	Thu, 21 Nov 2019 23:21:15 -0800 (PST)
Received: from athina.mtv.corp.google.com
	([2620:15c:211:0:c786:d9fd:ab91:6283])
	by smtp.gmail.com with ESMTPSA id
	s2sm5310646pgv.48.2019.11.21.23.21.14
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Thu, 21 Nov 2019 23:21:14 -0800 (PST)
From: =?utf-8?q?Maciej_=C5=BBenczykowski?= <zenczykowski@gmail.com>
To: =?utf-8?q?Maciej_=C5=BBenczykowski?= <maze@google.com>,
	"David S . Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>
Subject: [PATCH 2/3] net: port < inet_prot_sock(net) -->
	inet_port_requires_bind_service(net, port)
Date: Thu, 21 Nov 2019 23:21:01 -0800
Message-Id: <20191122072102.248636-2-zenczykowski@gmail.com>
X-Mailer: git-send-email 2.24.0.432.g9d3f5f5b63-goog
In-Reply-To: <20191122072102.248636-1-zenczykowski@gmail.com>
References: <20191122072102.248636-1-zenczykowski@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Maciej Żenczykowski <maze@google.com>

Note that the sysctl write accessor functions guarantee that:
  net->ipv4.sysctl_ip_prot_sock <= net->ipv4.ip_local_ports.range[0]
invariant is maintained, and as such the max() in selinux hooks is actually spurious.

ie. even though
  if (snum < max(inet_prot_sock(sock_net(sk)), low) || snum > high) {
per logic is the same as
  if ((snum < inet_prot_sock(sock_net(sk)) && snum < low) || snum > high) {
it is actually functionally equivalent to:
  if (snum < low || snum > high) {
which is equivalent to:
  if (snum < inet_prot_sock(sock_net(sk)) || snum < low || snum > high) {
even though the first clause is spurious.

But we want to hold on to it for the following patch.

Test: builds, git 'grep inet_prot_sock' finds no other references
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/net/ip.h               | 8 ++++----
 net/ipv4/af_inet.c             | 2 +-
 net/ipv6/af_inet6.c            | 2 +-
 net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
 net/sctp/socket.c              | 4 ++--
 security/selinux/hooks.c       | 4 ++--
 6 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/include/net/ip.h b/include/net/ip.h
index cebf3e10def1..a92f157bb115 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -351,9 +351,9 @@ static inline bool sysctl_dev_name_is_allowed(const char *name)
 	return strcmp(name, "default") != 0  && strcmp(name, "all") != 0;
 }
 
-static inline int inet_prot_sock(struct net *net)
+static inline bool inet_port_requires_bind_service(struct net *net, int port)
 {
-	return net->ipv4.sysctl_ip_prot_sock;
+	return port < net->ipv4.sysctl_ip_prot_sock;
 }
 
 #else
@@ -362,9 +362,9 @@ static inline bool inet_is_local_reserved_port(struct net *net, int port)
 	return false;
 }
 
-static inline int inet_prot_sock(struct net *net)
+static inline bool inet_port_requires_bind_service(struct net *net, int port)
 {
-	return PROT_SOCK;
+	return port < PROT_SOCK;
 }
 #endif
 
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 53de8e00990e..2fe295432c24 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -495,7 +495,7 @@ int __inet_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,
 
 	snum = ntohs(addr->sin_port);
 	err = -EACCES;
-	if (snum && snum < inet_prot_sock(net) &&
+	if (snum && inet_port_requires_bind_service(net, snum) &&
 	    !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))
 		goto out;
 
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index ef37e0574f54..60e2ff91a5b3 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -292,7 +292,7 @@ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,
 		return -EINVAL;
 
 	snum = ntohs(addr->sin6_port);
-	if (snum && snum < inet_prot_sock(net) &&
+	if (snum && inet_port_requires_bind_service(net, snum) &&
 	    !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))
 		return -EACCES;
 
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 3be7398901e0..8d14a1acbc37 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -423,7 +423,7 @@ ip_vs_service_find(struct netns_ipvs *ipvs, int af, __u32 fwmark, __u16 protocol
 
 	if (!svc && protocol == IPPROTO_TCP &&
 	    atomic_read(&ipvs->ftpsvc_counter) &&
-	    (vport == FTPDATA || ntohs(vport) >= inet_prot_sock(ipvs->net))) {
+	    (vport == FTPDATA || !inet_port_requires_bind_service(ipvs->net, ntohs(vport)))) {
 		/*
 		 * Check if ftp service entry exists, the packet
 		 * might belong to FTP data connections.
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 83e4ca1fabda..8797a38baf00 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -384,7 +384,7 @@ static int sctp_do_bind(struct sock *sk, union sctp_addr *addr, int len)
 		}
 	}
 
-	if (snum && snum < inet_prot_sock(net) &&
+	if (snum && inet_port_requires_bind_service(net, snum) &&
 	    !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))
 		return -EACCES;
 
@@ -1061,7 +1061,7 @@ static int sctp_connect_new_asoc(struct sctp_endpoint *ep,
 		if (sctp_autobind(sk))
 			return -EAGAIN;
 	} else {
-		if (ep->base.bind_addr.port < inet_prot_sock(net) &&
+		if (inet_port_requires_bind_service(net, ep->base.bind_addr.port) &&
 		    !ns_capable(net->user_ns, CAP_NET_BIND_SERVICE))
 			return -EACCES;
 	}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9625b99e677f..753b327f4806 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4623,8 +4623,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 
 			inet_get_local_port_range(sock_net(sk), &low, &high);
 
-			if (snum < max(inet_prot_sock(sock_net(sk)), low) ||
-			    snum > high) {
+			if (inet_port_requires_bind_service(sock_net(sk), snum) ||
+			    snum < low || snum > high) {
 				err = sel_netport_sid(sk->sk_protocol,
 						      snum, &sid);
 				if (err)

From patchwork Fri Nov 22 07:21:02 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Maciej_=C5=BBenczykowski?=
 <zenczykowski@gmail.com>
X-Patchwork-Id: 1199315
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67;
	helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="JhfzJk/W"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 47K7C40dsqz9sPV
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 22 Nov 2019 18:21:20 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726762AbfKVHVT (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 22 Nov 2019 02:21:19 -0500
Received: from mail-pf1-f193.google.com ([209.85.210.193]:33922 "EHLO
	mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726018AbfKVHVS (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 22 Nov 2019 02:21:18 -0500
Received: by mail-pf1-f193.google.com with SMTP id n13so3068479pff.1
	for <netdev@vger.kernel.org>; Thu, 21 Nov 2019 23:21:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=briGRW+1Bpyt/+T5VWxjGbXP3k9kfTLxtS5B30VfYAg=;
	b=JhfzJk/WQHV9MycIrg2pggCKXkbiB1DLppOXKUzOa4YTJmEbsksBOhoYqhvmaax/MU
	ODlp/Lc50uPLb5ZHITGY3i3xbR1Ow3fTBY1t1nZqoINudybM9z67VF1g0uzlY9KHGbJc
	QZ1RnZYTmCbCPH7SIUBZTk91ml/C5kqoOnnbqppOZBxDTz+cFfHQaGa0bpEdj4l6lZ8F
	CoiOaeyIihZQMdXR+VyXzllP9FvsqhCEDSmKoUL64DIouuTJ4tnTaLquzPohY6PFblb+
	lLet9beYMuNrEuJW0Bt4nMg/V2280XdKjEgI9KpvXS4Z/tHYviU0zj2ZepXZ1ravx9F2
	ePIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=briGRW+1Bpyt/+T5VWxjGbXP3k9kfTLxtS5B30VfYAg=;
	b=YkJcbzc7YivZDoQgW/OenRSwH1hgluMEIECaLN0yMpa4fR/TfbuvnZlyUcYBLvlwPF
	VNRcDj8DGrbhs41RApvbX6PYbLtM3deh7vUo200hLMFxbTs5gOiJuf8dz34BrCKXqWrS
	954AVVlKNne76g1LbxWlz/zyJrFCBLR8KuUnrlJRgz99cfO8OtA064Mkei2gjbuq8ao0
	1h9USyiH7rOAMMr6yxQjSFrDOAZH3i8ck7MaBz8XOND15+7c8DiOa3C2SpMxLVOIkLe2
	PzJCtqwWClf0jjr27gIaBVpuiNbEf76oG6LsNPSap1RIg7+8173G9+cH9G3LXlSAob+q
	flpw==
X-Gm-Message-State: APjAAAXeWSseBshBpkmh2iaivV6xleMF4PoBfRPKb/vZoMk3BvStSwb+
	/XZZF6Ca3AiH+cYnHYdhA8A=
X-Google-Smtp-Source: 
 APXvYqwywVLKgx25X2i6pJCpXoWAdY3J8MBxxvPAeSkHhTvxDsDnnYQymMRo/9D+hNI8lJ6L5ZJ9sA==
X-Received: by 2002:a63:3c9:: with SMTP id
	192mr14158521pgd.375.1574407277654;
	Thu, 21 Nov 2019 23:21:17 -0800 (PST)
Received: from athina.mtv.corp.google.com
	([2620:15c:211:0:c786:d9fd:ab91:6283])
	by smtp.gmail.com with ESMTPSA id
	s2sm5310646pgv.48.2019.11.21.23.21.16
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Thu, 21 Nov 2019 23:21:16 -0800 (PST)
From: =?utf-8?q?Maciej_=C5=BBenczykowski?= <zenczykowski@gmail.com>
To: =?utf-8?q?Maciej_=C5=BBenczykowski?= <maze@google.com>,
	"David S . Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Sean Tranchetti <stranche@codeaurora.org>,
	Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>,
	Eric Dumazet <edumazet@google.com>
Subject: [PATCH 3/3] net: Fail explicit unprivileged bind to local reserved
	ports
Date: Thu, 21 Nov 2019 23:21:02 -0800
Message-Id: <20191122072102.248636-3-zenczykowski@gmail.com>
X-Mailer: git-send-email 2.24.0.432.g9d3f5f5b63-goog
In-Reply-To: <20191122072102.248636-1-zenczykowski@gmail.com>
References: <20191122072102.248636-1-zenczykowski@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Maciej Żenczykowski <maze@google.com>

Reserved ports may have some special use cases which are not suitable for
use by general userspace applications. Currently, ports specified in
ip_local_reserved_ports sysctl will not be returned only in case of automatic
port assignment.

It is desirable to prevent the host from assigning the ports even in case
of explicit binds to processes without CAP_NET_BIND_SERVICE (which
hopefully know what they're doing).

Example use cases might be:
 - a port being stolen by the nic for remote serial console,
   or some other sort of debugging functionality (crash collection, gdb,
   direct access to some other microcontroller on the nic or motherboard).
 - a transparent proxy where packets are being redirected: in case a socket
   matches this connection, packets from this application would be incorrectly
   sent to one of the endpoints.

Cc: Sean Tranchetti <stranche@codeaurora.org>
Cc: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
---
 include/net/ip.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/net/ip.h b/include/net/ip.h
index a92f157bb115..f00e00d15155 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -353,7 +353,8 @@ static inline bool sysctl_dev_name_is_allowed(const char *name)
 
 static inline bool inet_port_requires_bind_service(struct net *net, int port)
 {
-	return port < net->ipv4.sysctl_ip_prot_sock;
+	return port < net->ipv4.sysctl_ip_prot_sock ||
+		inet_is_local_reserved_port(net, port);
 }
 
 #else