| Message ID | 20250305-mptcp-tcp-ulp-diag-cap-v2-1-d53fd80748eb@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 6040da37f014ae11a004df5bde6ed9be9dd9e6db |
| Delegated to: | Matthieu Baerts |
| Headers | show |
| Series | tcp: ulp: diag: remove net admin restriction | expand |
| Context | Check | Description |
|---|---|---|
| matttbe/build | success | Build and static analysis OK |
| matttbe/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 59 lines checked |
| matttbe/shellcheck | success | MPTCP selftests files have not been modified |
| matttbe/KVM_Validation__normal | success | Success! ✅ |
| matttbe/KVM_Validation__debug | success | Success! ✅ |
| matttbe/KVM_Validation__btf-normal__only_bpftest_all_ | success | Success! ✅ |
| matttbe/KVM_Validation__btf-debug__only_bpftest_all_ | success | Success! ✅ |
On Wed, 5 Mar 2025, Matthieu Baerts (NGI0) wrote: > Since its introduction in commit 61723b393292 ("tcp: ulp: add functions > to dump ulp-specific information"), the ULP diag info have been exported > only if the requester had CAP_NET_ADMIN. > > At least the ULP name can be exported without CAP_NET_ADMIN. This will > already help identifying which layer is being used, e.g. which TCP > connections are in fact MPTCP subflow. > > Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> > --- > net/ipv4/tcp_diag.c | 21 ++++++++++----------- > 1 file changed, 10 insertions(+), 11 deletions(-) Hi Matthieu - Thanks for the v2, and also for splitting up the series. These TCP changes look good to me: Acked-by: Mat Martineau <martineau@kernel.org> > > diff --git a/net/ipv4/tcp_diag.c b/net/ipv4/tcp_diag.c > index f428ecf9120f2f596e1d67db2b2a0d0d0e211905..d8bba37dbffd8c6cc7fab2328a88b6ce6ea3e9f4 100644 > --- a/net/ipv4/tcp_diag.c > +++ b/net/ipv4/tcp_diag.c > @@ -83,7 +83,7 @@ static int tcp_diag_put_md5sig(struct sk_buff *skb, > #endif > > static int tcp_diag_put_ulp(struct sk_buff *skb, struct sock *sk, > - const struct tcp_ulp_ops *ulp_ops) > + const struct tcp_ulp_ops *ulp_ops, bool net_admin) > { > struct nlattr *nest; > int err; > @@ -96,7 +96,7 @@ static int tcp_diag_put_ulp(struct sk_buff *skb, struct sock *sk, > if (err) > goto nla_failure; > > - if (ulp_ops->get_info) > + if (net_admin && ulp_ops->get_info) > err = ulp_ops->get_info(sk, skb); > if (err) > goto nla_failure; > @@ -113,6 +113,7 @@ static int tcp_diag_get_aux(struct sock *sk, bool net_admin, > struct sk_buff *skb) > { > struct inet_connection_sock *icsk = inet_csk(sk); > + const struct tcp_ulp_ops *ulp_ops; > int err = 0; > > #ifdef CONFIG_TCP_MD5SIG > @@ -129,15 +130,13 @@ static int tcp_diag_get_aux(struct sock *sk, bool net_admin, > } > #endif > > - if (net_admin) { > - const struct tcp_ulp_ops *ulp_ops; > - > - ulp_ops = icsk->icsk_ulp_ops; > - if (ulp_ops) > - err = tcp_diag_put_ulp(skb, sk, ulp_ops); > - if (err) > + ulp_ops = icsk->icsk_ulp_ops; > + if (ulp_ops) { > + err = tcp_diag_put_ulp(skb, sk, ulp_ops, net_admin); > + if (err < 0) > return err; > } > + > return 0; > } > > @@ -164,14 +163,14 @@ static size_t tcp_diag_get_aux_size(struct sock *sk, bool net_admin) > } > #endif > > - if (net_admin && sk_fullsock(sk)) { > + if (sk_fullsock(sk)) { > const struct tcp_ulp_ops *ulp_ops; > > ulp_ops = icsk->icsk_ulp_ops; > if (ulp_ops) { > size += nla_total_size(0) + > nla_total_size(TCP_ULP_NAME_MAX); > - if (ulp_ops->get_info_size) > + if (net_admin && ulp_ops->get_info_size) > size += ulp_ops->get_info_size(sk); > } > } > > -- > 2.47.1 > >
diff --git a/net/ipv4/tcp_diag.c b/net/ipv4/tcp_diag.c index f428ecf9120f2f596e1d67db2b2a0d0d0e211905..d8bba37dbffd8c6cc7fab2328a88b6ce6ea3e9f4 100644 --- a/net/ipv4/tcp_diag.c +++ b/net/ipv4/tcp_diag.c @@ -83,7 +83,7 @@ static int tcp_diag_put_md5sig(struct sk_buff *skb, #endif static int tcp_diag_put_ulp(struct sk_buff *skb, struct sock *sk, - const struct tcp_ulp_ops *ulp_ops) + const struct tcp_ulp_ops *ulp_ops, bool net_admin) { struct nlattr *nest; int err; @@ -96,7 +96,7 @@ static int tcp_diag_put_ulp(struct sk_buff *skb, struct sock *sk, if (err) goto nla_failure; - if (ulp_ops->get_info) + if (net_admin && ulp_ops->get_info) err = ulp_ops->get_info(sk, skb); if (err) goto nla_failure; @@ -113,6 +113,7 @@ static int tcp_diag_get_aux(struct sock *sk, bool net_admin, struct sk_buff *skb) { struct inet_connection_sock *icsk = inet_csk(sk); + const struct tcp_ulp_ops *ulp_ops; int err = 0; #ifdef CONFIG_TCP_MD5SIG @@ -129,15 +130,13 @@ static int tcp_diag_get_aux(struct sock *sk, bool net_admin, } #endif - if (net_admin) { - const struct tcp_ulp_ops *ulp_ops; - - ulp_ops = icsk->icsk_ulp_ops; - if (ulp_ops) - err = tcp_diag_put_ulp(skb, sk, ulp_ops); - if (err) + ulp_ops = icsk->icsk_ulp_ops; + if (ulp_ops) { + err = tcp_diag_put_ulp(skb, sk, ulp_ops, net_admin); + if (err < 0) return err; } + return 0; } @@ -164,14 +163,14 @@ static size_t tcp_diag_get_aux_size(struct sock *sk, bool net_admin) } #endif - if (net_admin && sk_fullsock(sk)) { + if (sk_fullsock(sk)) { const struct tcp_ulp_ops *ulp_ops; ulp_ops = icsk->icsk_ulp_ops; if (ulp_ops) { size += nla_total_size(0) + nla_total_size(TCP_ULP_NAME_MAX); - if (ulp_ops->get_info_size) + if (net_admin && ulp_ops->get_info_size) size += ulp_ops->get_info_size(sk); } }
Since its introduction in commit 61723b393292 ("tcp: ulp: add functions to dump ulp-specific information"), the ULP diag info have been exported only if the requester had CAP_NET_ADMIN. At least the ULP name can be exported without CAP_NET_ADMIN. This will already help identifying which layer is being used, e.g. which TCP connections are in fact MPTCP subflow. Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org> --- net/ipv4/tcp_diag.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-)