Support sending with packet sockets

...through the loopback interface, only.

This change only supports sending on packet sockets through the loopback
interface as the loopback interface is the only interface used in packet
socket syscall tests - the other link endpoints are not excercised with
the existing test infrastructure.

Support for sending on packet sockets through the other interfaces will
be added as needed.

BUG: https://fxbug.dev/81592
PiperOrigin-RevId: 394368899

3 files changed, 17 insertions, 10 deletions

diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 3f667cd74..1dd0048ac 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -1089,13 +1089,14 @@ func newRootNetworkNamespace(conf *config.Config, clock tcpip.Clock, uniqueID st
 		return inet.NewRootNamespace(hostinet.NewStack(), nil), nil
 
 	case config.NetworkNone, config.NetworkSandbox:
-		s, err := newEmptySandboxNetworkStack(clock, uniqueID)
+		s, err := newEmptySandboxNetworkStack(clock, uniqueID, conf.AllowPacketEndpointWrite)
 		if err != nil {
 			return nil, err
 		}
 		creator := &sandboxNetstackCreator{
-			clock:    clock,
-			uniqueID: uniqueID,
+			clock:                    clock,
+			uniqueID:                 uniqueID,
+			allowPacketEndpointWrite: conf.AllowPacketEndpointWrite,
 		}
 		return inet.NewRootNamespace(s, creator), nil
 
@@ -1105,7 +1106,7 @@ func newRootNetworkNamespace(conf *config.Config, clock tcpip.Clock, uniqueID st
 
 }
 
-func newEmptySandboxNetworkStack(clock tcpip.Clock, uniqueID stack.UniqueID) (inet.Stack, error) {
+func newEmptySandboxNetworkStack(clock tcpip.Clock, uniqueID stack.UniqueID, allowPacketEndpointWrite bool) (inet.Stack, error) {
 	netProtos := []stack.NetworkProtocolFactory{ipv4.NewProtocol, ipv6.NewProtocol, arp.NewProtocol}
 	transProtos := []stack.TransportProtocolFactory{
 		tcp.NewProtocol,
@@ -1121,9 +1122,10 @@ func newEmptySandboxNetworkStack(clock tcpip.Clock, uniqueID stack.UniqueID) (in
 		HandleLocal:        true,
 		// Enable raw sockets for users with sufficient
 		// privileges.
-		RawFactory:      raw.EndpointFactory{},
-		UniqueID:        uniqueID,
-		DefaultIPTables: netfilter.DefaultLinuxTables,
+		RawFactory:               raw.EndpointFactory{},
+		AllowPacketEndpointWrite: allowPacketEndpointWrite,
+		UniqueID:                 uniqueID,
+		DefaultIPTables:          netfilter.DefaultLinuxTables,
 	})}
 
 	// Enable SACK Recovery.
@@ -1160,13 +1162,14 @@ func newEmptySandboxNetworkStack(clock tcpip.Clock, uniqueID stack.UniqueID) (in
 //
 // +stateify savable
 type sandboxNetstackCreator struct {
-	clock    tcpip.Clock
-	uniqueID stack.UniqueID
+	clock                    tcpip.Clock
+	uniqueID                 stack.UniqueID
+	allowPacketEndpointWrite bool
 }
 
 // CreateStack implements kernel.NetworkStackCreator.CreateStack.
 func (f *sandboxNetstackCreator) CreateStack() (inet.Stack, error) {
-	s, err := newEmptySandboxNetworkStack(f.clock, f.uniqueID)
+	s, err := newEmptySandboxNetworkStack(f.clock, f.uniqueID, f.allowPacketEndpointWrite)
 	if err != nil {
 		return nil, err
 	}
diff --git a/runsc/config/config.go b/runsc/config/config.go
index 2f52863ff..2ce8cc006 100644
--- a/runsc/config/config.go
+++ b/runsc/config/config.go
@@ -86,6 +86,9 @@ type Config struct {
 	// capabilities.
 	EnableRaw bool `flag:"net-raw"`
 
+	// AllowPacketEndpointWrite enables write operations on packet endpoints.
+	AllowPacketEndpointWrite bool `flag:"TESTONLY-allow-packet-endpoint-write"`
+
 	// HardwareGSO indicates that hardware segmentation offload is enabled.
 	HardwareGSO bool `flag:"gso"`
 
diff --git a/runsc/config/flags.go b/runsc/config/flags.go
index 85507902a..cc5aba474 100644
--- a/runsc/config/flags.go
+++ b/runsc/config/flags.go
@@ -92,6 +92,7 @@ func RegisterFlags() {
 		// Test flags, not to be used outside tests, ever.
 		flag.Bool("TESTONLY-unsafe-nonroot", false, "TEST ONLY; do not ever use! This skips many security measures that isolate the host from the sandbox.")
 		flag.String("TESTONLY-test-name-env", "", "TEST ONLY; do not ever use! Used for automated tests to improve logging.")
+		flag.Bool("TESTONLY-allow-packet-endpoint-write", false, "TEST ONLY; do not ever use! Used for tests to allow writes on packet sockets.")
 	})
 }