1. 05 Sep, 2014 5 commits
    • Daniel Borkmann's avatar
      dev_ioctl: remove dev_load() CAP_SYS_MODULE message · e020836d
      Daniel Borkmann authored
      Marcel reported to see the following message when autoloading
      is being triggered when adding nlmon device:
      
        Loading kernel module for a network device with
        CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias
        netdev-nlmon instead.
      
      This false-positive happens despite with having correct
      capabilities set, e.g. through issuing `ip link del dev nlmon`
      more than once on a valid device with name nlmon, but Marcel
      has also seen it on creation time when no nlmon module is
      previously compiled-in or loaded as module and the device
      name equals a link type name (e.g. nlmon, vxlan, team).
      
      Stephen says:
      
        The netdev module alias is a hold over from the past. For
        normal devices, people used to create a alias eth0 to and
        point it to the type of network device used, that was back
        in the bad old ISA days before real discovery.
      
        Also, the tunnels create module alias for the control device
        and ip used to use this to autoload the tunnel device.
      
        The message is bogus and should just be removed, I also see
        it in a couple of other cases where tap devices are renamed
        for other usese.
      
      As mentioned in 8909c9ad ("net: don't allow CAP_NET_ADMIN
      to load non-netdev kernel modules"), we nevertheless still
      might want to leave the old autoloading behaviour in place
      as it could break old scripts, so for now, lets just remove
      the log message as Stephen suggests.
      
      Reference: http://thread.gmane.org/gmane.linux.kernel/1105168Reported-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Suggested-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vasiliy Kulikov <segoon@openwall.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e020836d
    • Daniel Borkmann's avatar
      net: bpf: make eBPF interpreter images read-only · 60a3b225
      Daniel Borkmann authored
      With eBPF getting more extended and exposure to user space is on it's way,
      hardening the memory range the interpreter uses to steer its command flow
      seems appropriate.  This patch moves the to be interpreted bytecode to
      read-only pages.
      
      In case we execute a corrupted BPF interpreter image for some reason e.g.
      caused by an attacker which got past a verifier stage, it would not only
      provide arbitrary read/write memory access but arbitrary function calls
      as well. After setting up the BPF interpreter image, its contents do not
      change until destruction time, thus we can setup the image on immutable
      made pages in order to mitigate modifications to that code. The idea
      is derived from commit 314beb9b ("x86: bpf_jit_comp: secure bpf jit
      against spraying attacks").
      
      This is possible because bpf_prog is not part of sk_filter anymore.
      After setup bpf_prog cannot be altered during its life-time. This prevents
      any modifications to the entire bpf_prog structure (incl. function/JIT
      image pointer).
      
      Every eBPF program (including classic BPF that are migrated) have to call
      bpf_prog_select_runtime() to select either interpreter or a JIT image
      as a last setup step, and they all are being freed via bpf_prog_free(),
      including non-JIT. Therefore, we can easily integrate this into the
      eBPF life-time, plus since we directly allocate a bpf_prog, we have no
      performance penalty.
      
      Tested with seccomp and test_bpf testsuite in JIT/non-JIT mode and manual
      inspection of kernel_page_tables.  Brad Spengler proposed the same idea
      via Twitter during development of this patch.
      
      Joint work with Hannes Frederic Sowa.
      Suggested-by: default avatarBrad Spengler <spender@grsecurity.net>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: Alexei Starovoitov <ast@plumgrid.com>
      Cc: Kees Cook <keescook@chromium.org>
      Acked-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      60a3b225
    • Florian Fainelli's avatar
      net: systemport: update UMAC_CMD only when link is detected · 4a804c01
      Florian Fainelli authored
      When we bring the interface down, phy_stop() will schedule the PHY
      state machine to call our link adjustment callback. By the time we do so,
      we may have clock gated off the SYSTEMPORT hardware block, and this will
      cause bus errors to happen in bcm_sysport_adj_link():
      
      Make sure that we only touch the UMAC_CMD register when there is an
      actual link. This is safe to do for two reasons:
      
      - updating the Ethernet MAC registers only make sense when a physical
        link is present
      - the PHY library state machine first set phydev->link = 0 before
        invoking phydev->adjust_link in the PHY_HALTED case
      
      This is a similar fix to the GENET one:
      c677ba8b ("net: bcmgenet: update
      UMAC_CMD only when link is detected").
      
      Fixes: 80105bef ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a804c01
    • Hannes Frederic Sowa's avatar
      ipv4: implement igmp_qrv sysctl to tune igmp robustness variable · a9fe8e29
      Hannes Frederic Sowa authored
      As in IPv6 people might increase the igmp query robustness variable to
      make sure unsolicited state change reports aren't lost on the network. Add
      and document this new knob to igmp code.
      
      RFCs allow tuning this parameter back to first IGMP RFC, so we also use
      this setting for all counters, including source specific multicast.
      
      Also take over sysctl value when upping the interface and don't reuse
      the last one seen on the interface.
      
      Cc: Flavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarFlavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9fe8e29
    • Hannes Frederic Sowa's avatar
      ipv6: add sysctl_mld_qrv to configure query robustness variable · 2f711939
      Hannes Frederic Sowa authored
      This patch adds a new sysctl_mld_qrv knob to configure the mldv1/v2 query
      robustness variable. It specifies how many retransmit of unsolicited mld
      retransmit should happen. Admins might want to tune this on lossy links.
      
      Also reset mld state on interface down/up, so we pick up new sysctl
      settings during interface up event.
      
      IPv6 certification requests this knob to be available.
      
      I didn't make this knob netns specific, as it is mostly a setting in a
      physical environment and should be per host.
      
      Cc: Flavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarFlavio Leitner <fbl@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f711939
  2. 04 Sep, 2014 4 commits
  3. 02 Sep, 2014 31 commits