From patchwork Fri Sep 23 13:38:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 1681576 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MYtgQ3plYz1ypX for ; Fri, 23 Sep 2022 23:44:50 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 907A783FBD; Fri, 23 Sep 2022 13:44:48 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 907A783FBD X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b57wdQS4umr7; Fri, 23 Sep 2022 13:44:47 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id ACE0C83FC7; Fri, 23 Sep 2022 13:44:46 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org ACE0C83FC7 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7F221C0033; Fri, 23 Sep 2022 13:44:46 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id A58AAC0032 for ; Fri, 23 Sep 2022 13:44:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 8050560E4D for ; Fri, 23 Sep 2022 13:44:44 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 8050560E4D X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zz0NFpYMzCeu for ; Fri, 23 Sep 2022 13:44:44 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 75E0460E30 Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.75]) by smtp3.osuosl.org (Postfix) with ESMTPS id 75E0460E30 for ; Fri, 23 Sep 2022 13:44:43 +0000 (UTC) Received: from weisslap.fritz.box ([31.19.218.61]) by mrelayeu.kundenserver.de (mreue107 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MxmJs-1pU5KV2WtS-00zJGg; Fri, 23 Sep 2022 15:39:01 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Paolo Abeni , Pravin B Shelar , "David S . Miller" , Jakub Kicinski Date: Fri, 23 Sep 2022 15:38:19 +0200 Message-Id: <20220923133820.993725-2-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220923133820.993725-1-michael.weiss@aisec.fraunhofer.de> References: <20220923133820.993725-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:8BJhdeANIbyU9Gyu9QqbOBrCdMkiP8dsWL+xJhpcwLoeQRcOGhd D9NXxrNUUG4yYRqLdTnPi5/StOsE7PbxkHQ2NQ3ZDgGm+l9soYZIW0OhQnt4D6Zoqro1H5G 1fVwaU6qAzrMmH6crtn3bxgZWZ9ILiX56NSxPRQTv8On9X9UL09o+3U6IbQNb3QuYimhsTJ ZRq1UhutwVFfu6eTc0MaA== X-UI-Out-Filterresults: notjunk:1;V03:K0:dMO1ASaWqZI=:x8d5t/QfedfHTCYiCUWcsD ua4TN0wQ/ETA4f4luMg8XBu85W0xEVJZzdvgfjHIofPE2revm8I1uaJ+VT+uUaEm4T2N+9PU1 Es4hlARaP+IkQJCfBdAKi5g+sQ0AFMcuwdXDiC0ixi4X0bPvaHykTJdurOCjiNI26Z8fQ80zj /pm9yoIqq4/oKTaFJIauP22riT29Gq/XkCC5iM9bSgMtuxnM7PqUMk2xVd3VsjJqfLfO47hQJ 88tMmE0+SK2UDl/HPEN3R93bWgKmACVWES9MO1Uu5aC28f3jIMCQUMfPTkl+X2EvAMEkhdi6d K2qQhSzD0SaW+Oa2osRpHYUQMi21+7uRN1RBxfqT/WkoX57LfBZJ/uVGRZ34cAPLwWqwokPL2 SczC9n7UzjJ874VTyZQlmQpmXH79pXybKcjDVpP2e/Y+72SNlHKRacmxuiAb/3VxmHtOk1CoU ncDjxMbK1rNaZ768yhNht/Z0LSy/kspxnGFpzkxZdjuRZacq/7DKBRD1GgmUEv902HE6xD4hV gzuGjvFF5O+GlvDGifIodIoH2X5J8TjZy0xdhgQIlX7WBNYq1/JD9F+DIAV6fGv6nphnp1owO 9j/RwztFt8GvgaFhqyCJXUXPUGqLGtsNGYx6KV6rutg0XPxhN45zcnkl56kc/89brdxSt1JUm 59pEjJa77VzEQGf9kgPN6i7dLG8hDlpNQkeZlG6qHJpHlwDO3F23R7YMY3x5XwwvxcpFMwy3h SVXm2xyG6/A8Fn7puZ7jTBR80xh5WE2GZ2QspIZKlYwkJvYTGyoAP3hvkqyKuj480RBBMqr1x HQLW+i5gFP9yPbPmnjNnT8E9mslyw== Cc: Joe Stringer , dev@openvswitch.org, =?utf-8?q?Michael_Wei?= =?utf-8?q?=C3=9F?= , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Dumazet Subject: [ovs-dev] [PATCH v3 net-next 1/2] net: openvswitch: allow metering in non-initial user namespace X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The Netlink interface for metering was restricted to global CAP_NET_ADMIN by using GENL_ADMIN_PERM. To allow metring in a non-inital user namespace, e.g., a container, this is changed to GENL_UNS_ADMIN_PERM. Signed-off-by: Michael Weiß --- net/openvswitch/meter.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c index 51111a9009bd..6e38f68f88c2 100644 --- a/net/openvswitch/meter.c +++ b/net/openvswitch/meter.c @@ -343,7 +343,7 @@ static struct dp_meter *dp_meter_create(struct nlattr **a) return ERR_PTR(-EINVAL); /* Allocate and set up the meter before locking anything. */ - meter = kzalloc(struct_size(meter, bands, n_bands), GFP_KERNEL); + meter = kzalloc(struct_size(meter, bands, n_bands), GFP_KERNEL_ACCOUNT); if (!meter) return ERR_PTR(-ENOMEM); @@ -687,9 +687,9 @@ static const struct genl_small_ops dp_meter_genl_ops[] = { }, { .cmd = OVS_METER_CMD_SET, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. - */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_meter_cmd_set, }, { .cmd = OVS_METER_CMD_GET, @@ -699,9 +699,9 @@ static const struct genl_small_ops dp_meter_genl_ops[] = { }, { .cmd = OVS_METER_CMD_DEL, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. - */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_meter_cmd_del }, }; From patchwork Fri Sep 23 13:38:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 1681577 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MYtgV6V9qz1ypX for ; Fri, 23 Sep 2022 23:44:54 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 2CB0440B38; Fri, 23 Sep 2022 13:44:53 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 2CB0440B38 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PaClRarvgBOf; Fri, 23 Sep 2022 13:44:52 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 4AFE440B08; Fri, 23 Sep 2022 13:44:51 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4AFE440B08 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 31BA9C0033; Fri, 23 Sep 2022 13:44:51 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9F02AC007C for ; Fri, 23 Sep 2022 13:44:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 7A1324194E for ; Fri, 23 Sep 2022 13:44:47 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7A1324194E X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-FbeRWB_oIP for ; Fri, 23 Sep 2022 13:44:46 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 2F90D408CD Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.73]) by smtp4.osuosl.org (Postfix) with ESMTPS id 2F90D408CD for ; Fri, 23 Sep 2022 13:44:45 +0000 (UTC) Received: from weisslap.fritz.box ([31.19.218.61]) by mrelayeu.kundenserver.de (mreue107 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MEF87-1oRVkB2g6P-00ABiH; Fri, 23 Sep 2022 15:39:02 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Paolo Abeni , Pravin B Shelar , "David S . Miller" , Jakub Kicinski Date: Fri, 23 Sep 2022 15:38:20 +0200 Message-Id: <20220923133820.993725-3-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220923133820.993725-1-michael.weiss@aisec.fraunhofer.de> References: <20220923133820.993725-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:LHiZC01TYNuQgQi1n7k4fjs48kn5evKqTxORFX0N4WGhIiWE1qt ytlmRPcQeMizccFmES5wgcNTy73yUGF1YYehKezF6UnKhoaDdy6RMYimmM5rpUkO2ChLYyO wuiFKVoh9BkATo37lKSMYqGIOcltEms47WoH0diAa9JHiPZlAa9v6g52Nd84mDQqg1kDBco eAPyAKiEIABd7x3Tpk2jA== X-UI-Out-Filterresults: notjunk:1;V03:K0:1ZUIRcdy/PQ=:pCxoS/HDCS2QdpMNnJagqV g5LLDZuiT/l/WbqX6i54EQd48OjDe70Fdul3F4ebNkpVKdWwB66lQaOFng2oXpaBHYTOIM1th FQbdtQ/4ky+rUlSpEc+7W13YQnQuYWY4BeUqKtGUvTGHOXzibXSoXjtR0UsbHaDkaRSjUWeaj SUbog79IV8aIKVqnb7D0uhc/SLfE0wxB3daJsmdTAtUQs1yaoJF6i5/xsPnrqtnoEC578Sh4G 8n7WS9KkgyK/H5Ud8lIlf6qFU07cmEZxd/GGbjshXp+Z0UHRqtAmsR+5nMq9RgioBKnxGRM6V V3yCinKjE1kUsNuiucm4+23RAMq97QoXhM9BrTDHlfVqYw5kcEn2vxjUbOl4mFMPpTT1XZ4dW W/DXGsUZytz0LNdNarkoa1L6WHfJbxAGSHospPm2Diy/m3tqt3qKPp0a0I9QW49TdG9XVYPPU aLifXbjvXACd1F4ph/enFKQOFwsMMTjxeTvS+xFo4Le6TZGZSza+sW/P/YsqhbbViNfxgtvvy ABrMUbvabyeKNQ17cwFJlVZj4m8ifL0jFzYwSCZJBBizTxc6lZv9BMkr7GyuIZHZN2ZAKW1E9 /RLv3Q1nh0pzLwEWMdf0tARHXkUd/urbERVGuOnN4BpUELYI8/UI56IQI1rArY9BZ+aouZiwn uiUiB1y0bvpytoaoItMom4uQXx8bvlBy8W0LG82TfQb57uk1hTsSnBCHCeQ3UGs0Dy0TxrjJF 7NIUS6bOnS2BE3uN4OwRki0l0dP9GEBPchYEl108XigMp58kT2shIEm9Asu+mbC0tTQM1K1M0 K2ij6q7NhJAWLMiOvGnxKxILtItLA== Cc: Joe Stringer , dev@openvswitch.org, =?utf-8?q?Michael_Wei?= =?utf-8?q?=C3=9F?= , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Dumazet Subject: [ovs-dev] [PATCH v3 net-next 2/2] net: openvswitch: allow conntrack in non-initial user namespace X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Similar to the previous commit, the Netlink interface of the OVS conntrack module was restricted to global CAP_NET_ADMIN by using GENL_ADMIN_PERM. This is changed to GENL_UNS_ADMIN_PERM to support unprivileged containers in non-initial user namespace. Signed-off-by: Michael Weiß --- net/openvswitch/conntrack.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 48e8f5c29b67..cb255d8ed99a 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1982,7 +1982,8 @@ static int ovs_ct_limit_set_zone_limit(struct nlattr *nla_zone_limit, } else { struct ovs_ct_limit *ct_limit; - ct_limit = kmalloc(sizeof(*ct_limit), GFP_KERNEL); + ct_limit = kmalloc(sizeof(*ct_limit), + GFP_KERNEL_ACCOUNT); if (!ct_limit) return -ENOMEM; @@ -2252,14 +2253,16 @@ static int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info) static const struct genl_small_ops ct_limit_genl_ops[] = { { .cmd = OVS_CT_LIMIT_CMD_SET, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_ct_limit_cmd_set, }, { .cmd = OVS_CT_LIMIT_CMD_DEL, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_ct_limit_cmd_del, }, { .cmd = OVS_CT_LIMIT_CMD_GET,