1. 13 3月, 2011 7 次提交
  2. 11 3月, 2011 1 次提交
  3. 10 3月, 2011 2 次提交
    • D
      ipv6: Don't create clones of host routes. · 7343ff31
      David S. Miller 提交于
      Addresses https://bugzilla.kernel.org/show_bug.cgi?id=29252
      Addresses https://bugzilla.kernel.org/show_bug.cgi?id=30462
      
      In commit d80bc0fd ("ipv6: Always
      clone offlink routes.") we forced the kernel to always clone offlink
      routes.
      
      The reason we do that is to make sure we never bind an inetpeer to a
      prefixed route.
      
      The logic turned on here has existed in the tree for many years,
      but was always off due to a protecting CPP define.  So perhaps
      it's no surprise that there is a logic bug here.
      
      The problem is that we canot clone a route that is already a
      host route (ie. has DST_HOST set).  Because if we do, an identical
      entry already exists in the routing tree and therefore the
      ip6_rt_ins() call is going to fail.
      
      This sets off a series of failures and high cpu usage, because when
      ip6_rt_ins() fails we loop retrying this operation a few times in
      order to handle a race between two threads trying to clone and insert
      the same host route at the same time.
      
      Fix this by simply using the route as-is when DST_HOST is set.
      
      Reported-by: slash@ac.auone-net.jp
      Reported-by: NErnst Sjöstrand <ernstp@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7343ff31
    • V
      net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules · 8909c9ad
      Vasiliy Kulikov 提交于
      Since a8f80e8f any process with
      CAP_NET_ADMIN may load any module from /lib/modules/.  This doesn't mean
      that CAP_NET_ADMIN is a superset of CAP_SYS_MODULE as modules are
      limited to /lib/modules/**.  However, CAP_NET_ADMIN capability shouldn't
      allow anybody load any module not related to networking.
      
      This patch restricts an ability of autoloading modules to netdev modules
      with explicit aliases.  This fixes CVE-2011-1019.
      
      Arnd Bergmann suggested to leave untouched the old pre-v2.6.32 behavior
      of loading netdev modules by name (without any prefix) for processes
      with CAP_SYS_MODULE to maintain the compatibility with network scripts
      that use autoloading netdev modules by aliases like "eth0", "wlan0".
      
      Currently there are only three users of the feature in the upstream
      kernel: ipip, ip_gre and sit.
      
          root@albatros:~# capsh --drop=$(seq -s, 0 11),$(seq -s, 13 34) --
          root@albatros:~# grep Cap /proc/$$/status
          CapInh:	0000000000000000
          CapPrm:	fffffff800001000
          CapEff:	fffffff800001000
          CapBnd:	fffffff800001000
          root@albatros:~# modprobe xfs
          FATAL: Error inserting xfs
          (/lib/modules/2.6.38-rc6-00001-g2bf4ca3/kernel/fs/xfs/xfs.ko): Operation not permitted
          root@albatros:~# lsmod | grep xfs
          root@albatros:~# ifconfig xfs
          xfs: error fetching interface information: Device not found
          root@albatros:~# lsmod | grep xfs
          root@albatros:~# lsmod | grep sit
          root@albatros:~# ifconfig sit
          sit: error fetching interface information: Device not found
          root@albatros:~# lsmod | grep sit
          root@albatros:~# ifconfig sit0
          sit0      Link encap:IPv6-in-IPv4
      	      NOARP  MTU:1480  Metric:1
      
          root@albatros:~# lsmod | grep sit
          sit                    10457  0
          tunnel4                 2957  1 sit
      
      For CAP_SYS_MODULE module loading is still relaxed:
      
          root@albatros:~# grep Cap /proc/$$/status
          CapInh:	0000000000000000
          CapPrm:	ffffffffffffffff
          CapEff:	ffffffffffffffff
          CapBnd:	ffffffffffffffff
          root@albatros:~# ifconfig xfs
          xfs: error fetching interface information: Device not found
          root@albatros:~# lsmod | grep xfs
          xfs                   745319  0
      
      Reference: https://lkml.org/lkml/2011/2/24/203Signed-off-by: NVasiliy Kulikov <segoon@openwall.com>
      Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Acked-by: NKees Cook <kees.cook@canonical.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8909c9ad
  4. 08 3月, 2011 1 次提交
  5. 04 3月, 2011 1 次提交
  6. 03 3月, 2011 2 次提交
  7. 02 3月, 2011 8 次提交
  8. 01 3月, 2011 1 次提交
  9. 26 2月, 2011 5 次提交
  10. 24 2月, 2011 2 次提交
  11. 23 2月, 2011 4 次提交
  12. 21 2月, 2011 1 次提交
  13. 19 2月, 2011 1 次提交
  14. 18 2月, 2011 1 次提交
  15. 17 2月, 2011 1 次提交
  16. 11 2月, 2011 2 次提交
    • D
      inet: Create a mechanism for upward inetpeer propagation into routes. · 6431cbc2
      David S. Miller 提交于
      If we didn't have a routing cache, we would not be able to properly
      propagate certain kinds of dynamic path attributes, for example
      PMTU information and redirects.
      
      The reason is that if we didn't have a routing cache, then there would
      be no way to lookup all of the active cached routes hanging off of
      sockets, tunnels, IPSEC bundles, etc.
      
      Consider the case where we created a cached route, but no inetpeer
      entry existed and also we were not asked to pre-COW the route metrics
      and therefore did not force the creation a new inetpeer entry.
      
      If we later get a PMTU message, or a redirect, and store this
      information in a new inetpeer entry, there is no way to teach that
      cached route about the newly existing inetpeer entry.
      
      The facilities implemented here handle this problem.
      
      First we create a generation ID.  When we create a cached route of any
      kind, we remember the generation ID at the time of attachment.  Any
      time we force-create an inetpeer entry in response to new path
      information, we bump that generation ID.
      
      The dst_ops->check() callback is where the knowledge of this event
      is propagated.  If the global generation ID does not equal the one
      stored in the cached route, and the cached route has not attached
      to an inetpeer yet, we look it up and attach if one is found.  Now
      that we've updated the cached route's information, we update the
      route's generation ID too.
      
      This clears the way for implementing PMTU and redirects directly in
      the inetpeer cache.  There is absolutely no need to consult cached
      route information in order to maintain this information.
      
      At this point nothing bumps the inetpeer genids, that comes in the
      later changes which handle PMTUs and redirects using inetpeers.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6431cbc2
    • D
      inetpeer: Abstract address representation further. · 7a71ed89
      David S. Miller 提交于
      Future changes will add caching information, and some of
      these new elements will be addresses.
      
      Since the family is implicit via the ->daddr.family member,
      replicating the family in ever address we store is entirely
      redundant.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7a71ed89