diff options
| author | Dean Deng <deandeng@google.com> | 2019-12-03 08:32:03 -0800 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2019-12-03 08:33:22 -0800 |
| commit | 19b2d997ec702e559bdb5f5e60634a7c5d7d288e (patch) | |
| tree | f6c30ec26fb7b4a4d2df221039456e64bccbf6f9 | |
| parent | ce32c0684311923fb80dd04221d5fd5120170cf9 (diff) | |
Support IP_TOS and IPV6_TCLASS socket options for hostinet sockets.
There are two potential ways of sending a TOS byte with outgoing packets:
including a control message in sendmsg, or setting the IP_TOS/IPV6_TCLASS
socket options (for IPV4 and IPV6 respectively). This change lets hostinet
support the latter.
Fixes #1188
PiperOrigin-RevId: 283550925
| -rw-r--r-- | pkg/sentry/socket/hostinet/socket.go | 8 | ||||
| -rw-r--r-- | runsc/boot/filter/config.go | 24 |
2 files changed, 28 insertions, 4 deletions
diff --git a/pkg/sentry/socket/hostinet/socket.go b/pkg/sentry/socket/hostinet/socket.go index 8d9363aac..a8c152b54 100644 --- a/pkg/sentry/socket/hostinet/socket.go +++ b/pkg/sentry/socket/hostinet/socket.go @@ -289,12 +289,12 @@ func (s *socketOperations) GetSockOpt(t *kernel.Task, level int, name int, outPt switch level { case linux.SOL_IP: switch name { - case linux.IP_RECVTOS: + case linux.IP_TOS, linux.IP_RECVTOS: optlen = sizeofInt32 } case linux.SOL_IPV6: switch name { - case linux.IPV6_RECVTCLASS, linux.IPV6_V6ONLY: + case linux.IPV6_TCLASS, linux.IPV6_RECVTCLASS, linux.IPV6_V6ONLY: optlen = sizeofInt32 } case linux.SOL_SOCKET: @@ -334,12 +334,12 @@ func (s *socketOperations) SetSockOpt(t *kernel.Task, level int, name int, opt [ switch level { case linux.SOL_IP: switch name { - case linux.IP_RECVTOS: + case linux.IP_TOS, linux.IP_RECVTOS: optlen = sizeofInt32 } case linux.SOL_IPV6: switch name { - case linux.IPV6_RECVTCLASS, linux.IPV6_V6ONLY: + case linux.IPV6_TCLASS, linux.IPV6_RECVTCLASS, linux.IPV6_V6ONLY: optlen = sizeofInt32 } case linux.SOL_SOCKET: diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index bf690160c..4fb9adca6 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -313,11 +313,21 @@ func hostInetFilters() seccomp.SyscallRules { { seccomp.AllowAny{}, seccomp.AllowValue(syscall.SOL_IP), + seccomp.AllowValue(syscall.IP_TOS), + }, + { + seccomp.AllowAny{}, + seccomp.AllowValue(syscall.SOL_IP), seccomp.AllowValue(syscall.IP_RECVTOS), }, { seccomp.AllowAny{}, seccomp.AllowValue(syscall.SOL_IPV6), + seccomp.AllowValue(syscall.IPV6_TCLASS), + }, + { + seccomp.AllowAny{}, + seccomp.AllowValue(syscall.SOL_IPV6), seccomp.AllowValue(syscall.IPV6_RECVTCLASS), }, { @@ -426,6 +436,13 @@ func hostInetFilters() seccomp.SyscallRules { { seccomp.AllowAny{}, seccomp.AllowValue(syscall.SOL_IP), + seccomp.AllowValue(syscall.IP_TOS), + seccomp.AllowAny{}, + seccomp.AllowValue(4), + }, + { + seccomp.AllowAny{}, + seccomp.AllowValue(syscall.SOL_IP), seccomp.AllowValue(syscall.IP_RECVTOS), seccomp.AllowAny{}, seccomp.AllowValue(4), @@ -433,6 +450,13 @@ func hostInetFilters() seccomp.SyscallRules { { seccomp.AllowAny{}, seccomp.AllowValue(syscall.SOL_IPV6), + seccomp.AllowValue(syscall.IPV6_TCLASS), + seccomp.AllowAny{}, + seccomp.AllowValue(4), + }, + { + seccomp.AllowAny{}, + seccomp.AllowValue(syscall.SOL_IPV6), seccomp.AllowValue(syscall.IPV6_RECVTCLASS), seccomp.AllowAny{}, seccomp.AllowValue(4), |