From patchwork Wed Sep 21 01:19:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 12982928 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A753DC54EE9 for ; Wed, 21 Sep 2022 01:21:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231202AbiIUBVU (ORCPT ); Tue, 20 Sep 2022 21:21:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60320 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230487AbiIUBVN (ORCPT ); Tue, 20 Sep 2022 21:21:13 -0400 Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.73]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADB5A6557B; Tue, 20 Sep 2022 18:21:10 -0700 (PDT) Received: from weisslap.fritz.box ([31.19.218.61]) by mrelayeu.kundenserver.de (mreue107 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MK3mS-1oqh6W2R82-00LYqq; Wed, 21 Sep 2022 03:20:46 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Paolo Abeni , Pravin B Shelar , "David S . Miller" Cc: =?utf-8?q?Michael_Wei=C3=9F?= , Eric Dumazet , Jakub Kicinski , netdev@vger.kernel.org, dev@openvswitch.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 net 1/2] net: openvswitch: allow metering in non-initial user namespace Date: Wed, 21 Sep 2022 03:19:45 +0200 Message-Id: <20220921011946.250228-2-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220921011946.250228-1-michael.weiss@aisec.fraunhofer.de> References: <20220921011946.250228-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:5hRA+EXig5KjfpBug6CUEsLbN/PydoeTXwBPvYwtnEq16oKoxfJ 84xCuaaKEnlW37E3bMIr20VLYP9qA0gfenweCJScn/ZAG4h1MCaNFZoqSjnN8eeplv8JNbd 07AJXjeOr5BDSwFjB5heewNWOF+zktpM/XaxJigDHv1O6V/+FQDZ1ny5QVZEwNqnr3kBQ/w QWQAtlCwSNIJCSeTq6Wrw== X-UI-Out-Filterresults: notjunk:1;V03:K0:ONrPFcRfYFg=:u0b0B/j/CcdiCWeNDQKGNx hBFfC9cfM+neVpZdFZuH1vrkG+UijGurQVXfideKcoJlk2FQDfJCubxLiu47VJFSh4gdkyumc Q8lWALhHJ0NGSY5qv2jqN2CzCD9+QEMrfxAQ5pKgwRCEFBpeNuQ+LOPaxwsj+VWTFDZRlggCc AXNEPPzzieq8l+Hb0xHlQyAMWW+LSrhvvDmTkzWHRxjYXmvvTKWSXFAJ/GoQIx18wednwnsmQ 2e4gDVbw61x3nlT68zXeDU+/uv9iRdJ576FoMrOgFRaJvsOpspM9bLPj3ZuB1t1U6uxY5/qW/ 1dXm51v4Z87Ot5thee6MJSM9yIf84mznJvvdDDXGYNCb103THUntGwEUdL0SOrvX/+XqUQxry WW6ySIQDGXfeKVJqR35rlkuGKjCaU4JSBHpHInvCyZMGfi/EiaDOeKnP3Aj13X5ZykCKf0/U6 QEwwd8tlwiIh8U0udUE7b0rletmPj8sJKH602WeZqz6g05UdLkMjfBW7d5LvExiJrRv/MsrIC zVwgr4C2vth2Qq5MrU/XgNw7pSchFubLOPfn1uYiqIBBCa9ug5YBRTzJIoQ8Rj17Tl3mK0M3u HaLY7LGBXj3hkvCa4Y22DNshlUOOhBn60qP8yxSZsjfGl/ip5beqe41Q6LrVBXg8FisrmD29C Sn6Oho8UKnDegnYBSVybmtAH0FWKPvZsK0zFlVWNwuGfx6/OGm8wCGEjzwCX0CU5xksrn2woa dUq5tSFF8dk/2YZJIxm0Eau4S+K3JJyb32O0b1zTFjGL1f8CfctvPklFZRwq8Y6rSBy1jV3uc F8BgQ5nQSSwrAY9WcXeUKWuFDomZw== Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org The Netlink interface for metering was restricted to global CAP_NET_ADMIN by using GENL_ADMIN_PERM. To allow metring in a non-inital user namespace, e.g., a container, this is changed to GENL_UNS_ADMIN_PERM. Signed-off-by: Michael Weiß --- net/openvswitch/meter.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c index 04a060ac7fdf..7a56efd3406b 100644 --- a/net/openvswitch/meter.c +++ b/net/openvswitch/meter.c @@ -343,7 +343,7 @@ static struct dp_meter *dp_meter_create(struct nlattr **a) return ERR_PTR(-EINVAL); /* Allocate and set up the meter before locking anything. */ - meter = kzalloc(struct_size(meter, bands, n_bands), GFP_KERNEL); + meter = kzalloc(struct_size(meter, bands, n_bands), GFP_KERNEL_ACCOUNT); if (!meter) return ERR_PTR(-ENOMEM); @@ -687,9 +687,9 @@ static const struct genl_small_ops dp_meter_genl_ops[] = { }, { .cmd = OVS_METER_CMD_SET, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. - */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_meter_cmd_set, }, { .cmd = OVS_METER_CMD_GET, @@ -699,9 +699,9 @@ static const struct genl_small_ops dp_meter_genl_ops[] = { }, { .cmd = OVS_METER_CMD_DEL, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. - */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_meter_cmd_del }, }; From patchwork Wed Sep 21 01:19:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 12982927 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8116C54EE9 for ; Wed, 21 Sep 2022 01:21:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231153AbiIUBVS (ORCPT ); Tue, 20 Sep 2022 21:21:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230489AbiIUBVN (ORCPT ); Tue, 20 Sep 2022 21:21:13 -0400 Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.74]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EEEC16E2F5; Tue, 20 Sep 2022 18:21:10 -0700 (PDT) Received: from weisslap.fritz.box ([31.19.218.61]) by mrelayeu.kundenserver.de (mreue107 [212.227.15.183]) with ESMTPSA (Nemesis) id 1N3bCH-1pIZCO2eUF-010d9d; Wed, 21 Sep 2022 03:20:47 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Paolo Abeni , Pravin B Shelar , "David S . Miller" Cc: =?utf-8?q?Michael_Wei=C3=9F?= , Eric Dumazet , Jakub Kicinski , netdev@vger.kernel.org, dev@openvswitch.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 net 2/2] net: openvswitch: allow conntrack in non-initial user namespace Date: Wed, 21 Sep 2022 03:19:46 +0200 Message-Id: <20220921011946.250228-3-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220921011946.250228-1-michael.weiss@aisec.fraunhofer.de> References: <20220921011946.250228-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:BZwZqra0fOpBo5DVYUl5XUVi7Kok+GGwO5onMDYdcGcI7jZt+Za 5QHLkghZdmb6mEzWfUu3bebBmpyDEUBMN8ytbZLBK2BlqhltE0PmQUiN7lc7xBLGvVqhOG3 Ix/n2Cy72dQ+lWNUQf+UOAgryZI6qJuwB1kDvYRxfGL7Q0bvX7nqbNBJuxt2xYGNgS5syc4 dWsEDIIcNfJyoHq2pFoow== X-UI-Out-Filterresults: notjunk:1;V03:K0:oc1+IDA1xcs=:1w107+qGS9SSneJIbfovYW qSxlP3HtT60j3vdnGvTDgF4JZJUFxacnPDhYT0JMpIoD/U2x0yMJqLvOWQfIPqX/skSKlzDoJ wPt4WAlSfKst4e7FWu8NReJr0A5ON5Y7lB3pssU2Jesy2dFNk+gUfKg3ypK8G4eWJAvdv7uyU AXH0fYRRlRj0nJOk+s8f3nl+Yd9jgaRZpR3VxmeBwDIHaj7UhmrrJZPFecFX/rPUZknFMIGrJ HOOtFkpNLjXOXu2AjTA7Ei97UGoH/78vtsW8H8/Fmal5Ttk4mVv4Khxd6MLcxFLpCQPmJvqYA GfPnpdb2tfYNIFxncb4kE6CwcJ+G42gNxJNd9f8i/xd9E6gAzMbZykxxe0PvEux1dPogL0t1O Be6o1D/mSwdeZ9S47y2/vuBLbRutummtdTGeGEsGQwDIp7bLRTv2tY48JodFIh4GoHaTqnBh1 MQEfKOVsObM3sDL8UlplgKRPsN7mJzN7V+dN/NomsHjCkJAEauddsTGpY1PAfeLafLfUkMofY zf8uvjvUO53BZjS2Idv56xdvfLoG5dO8a0CUuuD/RAf4nZD7yo1VvoUyTB3PCSKjboJMiM+bD QK4oj0A8gtf6QNFp5BoHlJE13DKejCYhgb71RtXFPniXu8pNTPc9ZN4p4fVlYjAPu2HbFdNFM B4acUQsm8C1xe9xY7uI+RmFlsX13ndWnLEQTkiHgo1U4w0kD4PmQu0mtHY/5UyqOV/gqRCe2n /SykCRMD/p9/EOIz0pFWD6PchwvxH/lJXnvZoXJjX8RGZLA7JYf75DAf269zPXmWV+ZIfyuH8 +wsj4Le4S8AtywXG/E4We/gcEu70Q== Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Similar to the previous commit, the Netlink interface of the OVS conntrack module was restricted to global CAP_NET_ADMIN by using GENL_ADMIN_PERM. This is changed to GENL_UNS_ADMIN_PERM to support unprivileged containers in non-initial user namespace. Signed-off-by: Michael Weiß --- net/openvswitch/conntrack.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 4e70df91d0f2..9142ba322991 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -2252,14 +2252,16 @@ static int ovs_ct_limit_cmd_get(struct sk_buff *skb, struct genl_info *info) static const struct genl_small_ops ct_limit_genl_ops[] = { { .cmd = OVS_CT_LIMIT_CMD_SET, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_ct_limit_cmd_set, }, { .cmd = OVS_CT_LIMIT_CMD_DEL, .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, - .flags = GENL_ADMIN_PERM, /* Requires CAP_NET_ADMIN - * privilege. */ + .flags = GENL_UNS_ADMIN_PERM, /* Requires CAP_NET_ADMIN + * privilege. + */ .doit = ovs_ct_limit_cmd_del, }, { .cmd = OVS_CT_LIMIT_CMD_GET,