Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network port range control #16

Open
l0kod opened this issue Jan 19, 2024 · 0 comments
Open

Network port range control #16

l0kod opened this issue Jan 19, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@l0kod
Copy link
Member

l0kod commented Jan 19, 2024

Because some network services and clients might bind(2) (or even connect(2)) to a legitimate range of ports (e.g. to improve the number of concurrent connections between internal services), it would be useful to be able to extend the landlock_net_port_attr struct with a port_last field.

We should note that this can already be controlled system-wide with the port range defined with /proc/sys/net/ipv4/ip_local_port_range (for IPv4 and IPv6) when allowing to bind on port 0, but this is a limitation.

Implementing an efficient port range matching will require a dedicated data structure (different than the current ruleset's root_net_port red-black tree), keeping in mind #1.

See thread: https://lore.kernel.org/netdev/[email protected]/

Related to #15

Cc @BoardzMaster
@l0kod l0kod added the enhancement New feature or request label Jan 19, 2024
@l0kod l0kod mentioned this issue Feb 22, 2024
Open
@l0kod l0kod mentioned this issue Apr 5, 2024
Open
l0kod pushed a commit that referenced this issue Sep 9, 2024
@superjamie @gregkh
ethtool: check device is present when getting link settings
842a40c 
[ Upstream commit a699781 ]

A sysfs reader can race with a device reset or removal, attempting to
read device state when the device is not actually present. eg:

     [exception RIP: qed_get_current_link+17]
  #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]
  #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3
 #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4
 #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300
 #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c
 #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b
 #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3
 #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1
 #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f
 #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb

 crash> struct net_device.state ffff9a9d21336000
    state = 5,

state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).
The device is not present, note lack of __LINK_STATE_PRESENT (0b10).

This is the same sort of panic as observed in commit 4224cfd
("net-sysfs: add check for netdevice being present to speed_show").

There are many other callers of __ethtool_get_link_ksettings() which
don't have a device presence check.

Move this check into ethtool to protect all callers.

Fixes: d519e17 ("net: export device speed and duplex via sysfs")
Fixes: 4224cfd ("net-sysfs: add check for netdevice being present to speed_show")
Signed-off-by: Jamie Bainbridge <[email protected]>
Link: https://patch.msgid.link/8bae218864beaa44ed01628140475b9bf641c5b0.1724393671.git.jamie.bainbridge@gmail.com
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Landlock
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
1 participant
@l0kod