We're working on a user space control plane for the BPF sk_lookup hook [1]. The hook attaches to a network namespace and allows control over which socket receives a new connection / packet.
Roughly, applications can give a socket to our user space component to participate in custom bind semantics. This creates an edge case where an application can provide us with a socket that lives in a different network namespace than our BPF sk_lookup program. We'd like to return an error in this case.
Additionally, we have some user space state that is tied to the network namespace. We currently use the inode of the nsfs entry in a directory name, but this is suffers from inode reuse.
I'm proposing to fix both of these issues by adding a new SO_NETNS_COOKIE socket option as well as a NS_GET_COOKIE ioctl. Using these we get a stable, unique identifier for a network namespace and check whether a socket belongs to the "correct" namespace.
NS_GET_COOKIE could be renamed to NS_GET_NET_COOKIE. I kept the name generic because it seems like other namespace types could benefit from a cookie as well.
I'm trying to land this via the bpf tree since this is where the netns cookie originated, please let me know if this isn't appropriate.
1: https://www.kernel.org/doc/html/latest/bpf/prog_sk_lookup.html
Cc: bpf@vger.kernel.org Cc: linux-alpha@vger.kernel.org Cc: linux-api@vger.kernel.org Cc: linux-arch@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: linux-mips@vger.kernel.org Cc: linux-parisc@vger.kernel.org Cc: netdev@vger.kernel.org Cc: sparclinux@vger.kernel.org
Lorenz Bauer (4): net: add SO_NETNS_COOKIE socket option nsfs: add an ioctl to discover the network namespace cookie tools/testing: add test for NS_GET_COOKIE tools/testing: add a selftest for SO_NETNS_COOKIE
arch/alpha/include/uapi/asm/socket.h | 2 + arch/mips/include/uapi/asm/socket.h | 2 + arch/parisc/include/uapi/asm/socket.h | 2 + arch/sparc/include/uapi/asm/socket.h | 2 + fs/nsfs.c | 9 +++ include/linux/sock_diag.h | 20 ++++++ include/net/net_namespace.h | 11 ++++ include/uapi/asm-generic/socket.h | 2 + include/uapi/linux/nsfs.h | 2 + net/core/filter.c | 9 ++- net/core/sock.c | 7 +++ tools/testing/selftests/net/.gitignore | 1 + tools/testing/selftests/net/Makefile | 2 +- tools/testing/selftests/net/so_netns_cookie.c | 61 +++++++++++++++++++ tools/testing/selftests/nsfs/.gitignore | 1 + tools/testing/selftests/nsfs/Makefile | 2 +- tools/testing/selftests/nsfs/netns.c | 57 +++++++++++++++++ 17 files changed, 185 insertions(+), 7 deletions(-) create mode 100644 tools/testing/selftests/net/so_netns_cookie.c create mode 100644 tools/testing/selftests/nsfs/netns.c
Check that NS_GET_COOKIE returns a non-zero value, and that distinct network namespaces have different cookies.
Signed-off-by: Lorenz Bauer lmb@cloudflare.com --- tools/testing/selftests/nsfs/.gitignore | 1 + tools/testing/selftests/nsfs/Makefile | 2 +- tools/testing/selftests/nsfs/netns.c | 57 +++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/nsfs/netns.c
diff --git a/tools/testing/selftests/nsfs/.gitignore b/tools/testing/selftests/nsfs/.gitignore index ed79ebdf286e..ca31b216215b 100644 --- a/tools/testing/selftests/nsfs/.gitignore +++ b/tools/testing/selftests/nsfs/.gitignore @@ -1,3 +1,4 @@ # SPDX-License-Identifier: GPL-2.0-only owner pidns +netns diff --git a/tools/testing/selftests/nsfs/Makefile b/tools/testing/selftests/nsfs/Makefile index dd9bd50b7b93..93793cdb5a7c 100644 --- a/tools/testing/selftests/nsfs/Makefile +++ b/tools/testing/selftests/nsfs/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0-only -TEST_GEN_PROGS := owner pidns +TEST_GEN_PROGS := owner pidns netns
CFLAGS := -Wall -Werror
diff --git a/tools/testing/selftests/nsfs/netns.c b/tools/testing/selftests/nsfs/netns.c new file mode 100644 index 000000000000..8ab862667b45 --- /dev/null +++ b/tools/testing/selftests/nsfs/netns.c @@ -0,0 +1,57 @@ +// SPDX-License-Identifier: GPL-2.0 +#define _GNU_SOURCE +#include <sched.h> +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <fcntl.h> +#include <sys/ioctl.h> + +#define NSIO 0xb7 +#define NS_GET_COOKIE _IO(NSIO, 0x5) + +#define pr_err(fmt, ...) \ + ({ \ + fprintf(stderr, "%s:%d:" fmt ": %m\n", \ + __func__, __LINE__, ##__VA_ARGS__); \ + 1; \ + }) + +int main(int argc, char *argvp[]) +{ + uint64_t cookie1, cookie2; + char path[128]; + int ns; + + snprintf(path, sizeof(path), "/proc/%d/ns/net", getpid()); + ns = open(path, O_RDONLY); + if (ns < 0) + return pr_err("Unable to open %s", path); + + if (ioctl(ns, NS_GET_COOKIE, &cookie1)) + return pr_err("Unable to get first namespace cookie"); + + if (!cookie1) + return pr_err("NS_GET_COOKIE returned zero first cookie"); + + close(ns); + if (unshare(CLONE_NEWNET)) + return pr_err("unshare"); + + ns = open(path, O_RDONLY); + if (ns < 0) + return pr_err("Unable to open %s", path); + + if (ioctl(ns, NS_GET_COOKIE, &cookie2)) + return pr_err("Unable to get second namespace cookie"); + + if (!cookie2) + return pr_err("NS_GET_COOKIE returned zero second cookie"); + + if (cookie1 == cookie2) + return pr_err("NS_GET_COOKIE returned identical cookies for distinct ns"); + + close(ns); + return 0; +}
Make sure that SO_NETNS_COOKIE returns a non-zero value, and that sockets from different namespaces have a distinct cookie value.
Signed-off-by: Lorenz Bauer lmb@cloudflare.com --- tools/testing/selftests/net/.gitignore | 1 + tools/testing/selftests/net/Makefile | 2 +- tools/testing/selftests/net/so_netns_cookie.c | 61 +++++++++++++++++++ 3 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/net/so_netns_cookie.c
diff --git a/tools/testing/selftests/net/.gitignore b/tools/testing/selftests/net/.gitignore index 61ae899cfc17..19deb9cdf72f 100644 --- a/tools/testing/selftests/net/.gitignore +++ b/tools/testing/selftests/net/.gitignore @@ -30,3 +30,4 @@ hwtstamp_config rxtimestamp timestamping txtimestamp +so_netns_cookie diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index fa5fa425d148..a0f45a71a8f1 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -27,7 +27,7 @@ TEST_GEN_FILES = socket nettest TEST_GEN_FILES += psock_fanout psock_tpacket msg_zerocopy reuseport_addr_any TEST_GEN_FILES += tcp_mmap tcp_inq psock_snd txring_overwrite TEST_GEN_FILES += udpgso udpgso_bench_tx udpgso_bench_rx ip_defrag -TEST_GEN_FILES += so_txtime ipv6_flowlabel ipv6_flowlabel_mgr +TEST_GEN_FILES += so_txtime ipv6_flowlabel ipv6_flowlabel_mgr so_netns_cookie TEST_GEN_FILES += tcp_fastopen_backup_key TEST_GEN_FILES += fin_ack_lat TEST_GEN_FILES += reuseaddr_ports_exhausted diff --git a/tools/testing/selftests/net/so_netns_cookie.c b/tools/testing/selftests/net/so_netns_cookie.c new file mode 100644 index 000000000000..b39e87e967cd --- /dev/null +++ b/tools/testing/selftests/net/so_netns_cookie.c @@ -0,0 +1,61 @@ +// SPDX-License-Identifier: GPL-2.0 +#define _GNU_SOURCE +#include <sched.h> +#include <unistd.h> +#include <stdio.h> +#include <errno.h> +#include <string.h> +#include <stdlib.h> +#include <stdint.h> +#include <sys/types.h> +#include <sys/socket.h> + +#ifndef SO_NETNS_COOKIE +#define SO_NETNS_COOKIE 71 +#endif + +#define pr_err(fmt, ...) \ + ({ \ + fprintf(stderr, "%s:%d:" fmt ": %m\n", \ + __func__, __LINE__, ##__VA_ARGS__); \ + 1; \ + }) + +int main(int argc, char *argvp[]) +{ + uint64_t cookie1, cookie2; + socklen_t vallen; + int sock1, sock2; + + sock1 = socket(AF_INET, SOCK_STREAM, 0); + if (sock1 < 0) + return pr_err("Unable to create TCP socket"); + + vallen = sizeof(cookie1); + if (getsockopt(sock1, SOL_SOCKET, SO_NETNS_COOKIE, &cookie1, &vallen) != 0) + return pr_err("getsockopt(SOL_SOCKET, SO_NETNS_COOKIE)"); + + if (!cookie1) + return pr_err("SO_NETNS_COOKIE returned zero cookie"); + + if (unshare(CLONE_NEWNET)) + return pr_err("unshare"); + + sock2 = socket(AF_INET, SOCK_STREAM, 0); + if (sock2 < 0) + return pr_err("Unable to create TCP socket"); + + vallen = sizeof(cookie2); + if (getsockopt(sock2, SOL_SOCKET, SO_NETNS_COOKIE, &cookie2, &vallen) != 0) + return pr_err("getsockopt(SOL_SOCKET, SO_NETNS_COOKIE)"); + + if (!cookie2) + return pr_err("SO_NETNS_COOKIE returned zero cookie"); + + if (cookie1 == cookie2) + return pr_err("SO_NETNS_COOKIE returned identical cookies for distinct ns"); + + close(sock1); + close(sock2); + return 0; +}
linux-kselftest-mirror@lists.linaro.org
-
Lorenz Bauer