Fix checking for sender of rtnetlink messages

So far we did check that incoming message comes has uid == 0. However this doesn't work if avahi is running inside net_ns && user_ns. Instead we should check that message comes from kernel, i.e. pid == 0. Thanks Lubomir Rintel <lkundrak@v3.sk> for the patch. Resolves: #1227052
2015-06-17 22:54:05 +02:00 · 2015-06-17 22:54:05 +02:00 · 3b52db469b
commit 3b52db469b
parent 0ca6f3f5b1
2 changed files with 47 additions and 1 deletions
--- a/0001-netlink-check-that-the-origin-of-the-rtnetlink-messa.patch
+++ b/0001-netlink-check-that-the-origin-of-the-rtnetlink-messa.patch
@ -0,0 +1,41 @@
+From b8b2b4a03de019e14e439d30ab2d929aec5d6524 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Mon, 1 Jun 2015 21:13:40 +0200
+Subject: [PATCH] netlink: check that the origin of the rtnetlink messages is
+ kernel
+
+Instead of asserting it's from UID 0, which breaks in network namespaces.
+---
+ avahi-autoipd/iface-linux.c | 2 +-
+ avahi-core/netlink.c        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/avahi-autoipd/iface-linux.c b/avahi-autoipd/iface-linux.c
+index 83e9e41..1888e37 100644
+--- a/avahi-autoipd/iface-linux.c
+++ b/avahi-autoipd/iface-linux.c
+@@ -215,7 +215,7 @@ static int process_response(int wait_for_done, unsigned seq) {
+ 
+         ucred = (struct ucred*) CMSG_DATA(cmsghdr);
+ 
+-        if (ucred->uid != 0)
+        if (ucred->pid != 0)
+             return -1;
+ 
+         bytes = (size_t) r;
+diff --git a/avahi-core/netlink.c b/avahi-core/netlink.c
+index 4ded5ec..b8c0c06 100644
+--- a/avahi-core/netlink.c
+++ b/avahi-core/netlink.c
+@@ -82,7 +82,7 @@ int avahi_netlink_work(AvahiNetlink *nl, int block) {
+ 
+     cred = (struct ucred*) CMSG_DATA(cmsg);
+ 
+-    if (cred->uid != 0)
+    if (cred->pid != 0)
+         return -1;
+ 
+     p = (struct nlmsghdr *) nl->buffer;
+-- 
+2.4.3
+
--- a/avahi.spec
+++ b/avahi.spec
@ -18,7 +18,7 @@

 Name:             avahi
 Version:          0.6.31
-Release:          34%{?dist}
+Release:          35%{?dist}
 Summary:          Local network service discovery
 License:          LGPLv2+
 URL:              http://avahi.org
@ -74,6 +74,7 @@ Patch1:           avahi-0.6.31-no-deprecations.patch

 # https://bugzilla.redhat.com/show_bug.cgi?id=1105647
 Patch2:           0001-Disable-publish-workstation-and-publish-hinfo-by-def.patch
+Patch3:           0001-netlink-check-that-the-origin-of-the-rtnetlink-messa.patch

 %description
 Avahi is a system which facilitates service discovery on
@ -325,6 +326,7 @@ fashion with mDNS.
 %patch0 -p1 -b .mono-libdir
 %patch1 -p1 -b .no_deprecations
 %patch2 -p1 -b .disable-workstation-hinfo
+%patch3 -p1 -b .netlink-userns
 rm docs/INSTALL

 # patch1 requires autogen
@ -663,6 +665,9 @@ exit 0
 %endif

 %changelog
+* Wed Jun 17 2015 Michal Sekletar <msekleta@redhat.com> - 0.6.31-35
+- check that rtnetlink messages has pid == 0, i.e. they sender is kernel (#1227052)
+
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6.31-34
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild