diff options
Diffstat (limited to 'netlink-Add-netns-check-on-taps.patch')
-rw-r--r-- | netlink-Add-netns-check-on-taps.patch | 42 |
1 files changed, 0 insertions, 42 deletions
diff --git a/netlink-Add-netns-check-on-taps.patch b/netlink-Add-netns-check-on-taps.patch deleted file mode 100644 index 8595cf80d..000000000 --- a/netlink-Add-netns-check-on-taps.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 5af86b090e2f17b97c02d0bf9098f6edc3195935 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee <cernekee@chromium.org> -Date: Wed, 6 Dec 2017 12:12:27 -0800 -Subject: [PATCH] netlink: Add netns check on taps - -Currently, a nlmon link inside a child namespace can observe systemwide -netlink activity. Filter the traffic so that nlmon can only sniff -netlink messages from its own netns. - -Test case: - - vpnns -- bash -c "ip link add nlmon0 type nlmon; \ - ip link set nlmon0 up; \ - tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & - sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ - spi 0x1 mode transport \ - auth sha1 0x6162633132330000000000000000000000000000 \ - enc aes 0x00000000000000000000000000000000 - grep --binary abc123 /tmp/nlmon.pcap - -Signed-off-by: Kevin Cernekee <cernekee@chromium.org> ---- - net/netlink/af_netlink.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 15c99dfa3d72..aac9d68b4636 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb, - struct sock *sk = skb->sk; - int ret = -ENOMEM; - -+ if (!net_eq(dev_net(dev), sock_net(sk))) -+ return 0; -+ - dev_hold(dev); - - if (is_vmalloc_addr(skb->head)) --- -2.14.3 - |