summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/sentry')
-rw-r--r--pkg/sentry/devices/tundev/tundev.go15
-rw-r--r--pkg/sentry/fs/dev/net_tun.go15
-rw-r--r--pkg/sentry/socket/netstack/BUILD2
-rw-r--r--pkg/sentry/socket/netstack/tun.go51
4 files changed, 67 insertions, 16 deletions
diff --git a/pkg/sentry/devices/tundev/tundev.go b/pkg/sentry/devices/tundev/tundev.go
index d8f4e1d35..c43158aa4 100644
--- a/pkg/sentry/devices/tundev/tundev.go
+++ b/pkg/sentry/devices/tundev/tundev.go
@@ -87,19 +87,18 @@ func (fd *tunFD) Ioctl(ctx context.Context, uio usermem.IO, args arch.SyscallArg
if _, err := req.CopyIn(t, data); err != nil {
return 0, err
}
- flags := usermem.ByteOrder.Uint16(req.Data[:])
+
+ // Validate flags.
+ flags, err := netstack.LinuxToTUNFlags(usermem.ByteOrder.Uint16(req.Data[:]))
+ if err != nil {
+ return 0, err
+ }
return 0, fd.device.SetIff(stack.Stack, req.Name(), flags)
case linux.TUNGETIFF:
var req linux.IFReq
-
copy(req.IFName[:], fd.device.Name())
-
- // Linux adds IFF_NOFILTER (the same value as IFF_NO_PI unfortunately) when
- // there is no sk_filter. See __tun_chr_ioctl() in net/drivers/tun.c.
- flags := fd.device.Flags() | linux.IFF_NOFILTER
- usermem.ByteOrder.PutUint16(req.Data[:], flags)
-
+ usermem.ByteOrder.PutUint16(req.Data[:], netstack.TUNFlagsToLinux(fd.device.Flags()))
_, err := req.CopyOut(t, data)
return 0, err
diff --git a/pkg/sentry/fs/dev/net_tun.go b/pkg/sentry/fs/dev/net_tun.go
index 5227ef652..11a2984d8 100644
--- a/pkg/sentry/fs/dev/net_tun.go
+++ b/pkg/sentry/fs/dev/net_tun.go
@@ -108,19 +108,18 @@ func (n *netTunFileOperations) Ioctl(ctx context.Context, file *fs.File, io user
if _, err := req.CopyIn(t, data); err != nil {
return 0, err
}
- flags := usermem.ByteOrder.Uint16(req.Data[:])
+
+ // Validate flags.
+ flags, err := netstack.LinuxToTUNFlags(usermem.ByteOrder.Uint16(req.Data[:]))
+ if err != nil {
+ return 0, err
+ }
return 0, n.device.SetIff(stack.Stack, req.Name(), flags)
case linux.TUNGETIFF:
var req linux.IFReq
-
copy(req.IFName[:], n.device.Name())
-
- // Linux adds IFF_NOFILTER (the same value as IFF_NO_PI unfortunately) when
- // there is no sk_filter. See __tun_chr_ioctl() in net/drivers/tun.c.
- flags := n.device.Flags() | linux.IFF_NOFILTER
- usermem.ByteOrder.PutUint16(req.Data[:], flags)
-
+ usermem.ByteOrder.PutUint16(req.Data[:], netstack.TUNFlagsToLinux(n.device.Flags()))
_, err := req.CopyOut(t, data)
return 0, err
diff --git a/pkg/sentry/socket/netstack/BUILD b/pkg/sentry/socket/netstack/BUILD
index 915134b41..244d99436 100644
--- a/pkg/sentry/socket/netstack/BUILD
+++ b/pkg/sentry/socket/netstack/BUILD
@@ -12,6 +12,7 @@ go_library(
"provider_vfs2.go",
"save_restore.go",
"stack.go",
+ "tun.go",
],
visibility = [
"//pkg/sentry:internal",
@@ -42,6 +43,7 @@ go_library(
"//pkg/syserror",
"//pkg/tcpip",
"//pkg/tcpip/header",
+ "//pkg/tcpip/link/tun",
"//pkg/tcpip/network/ipv4",
"//pkg/tcpip/network/ipv6",
"//pkg/tcpip/stack",
diff --git a/pkg/sentry/socket/netstack/tun.go b/pkg/sentry/socket/netstack/tun.go
new file mode 100644
index 000000000..288dd0c9e
--- /dev/null
+++ b/pkg/sentry/socket/netstack/tun.go
@@ -0,0 +1,51 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package netstack
+
+import (
+ "gvisor.dev/gvisor/pkg/abi/linux"
+ "gvisor.dev/gvisor/pkg/syserror"
+ "gvisor.dev/gvisor/pkg/tcpip/link/tun"
+)
+
+// TUNFlagsToLinux converts a tun.Flags to Linux TUN flags.
+func TUNFlagsToLinux(flags tun.Flags) uint16 {
+ ret := uint16(linux.IFF_NOFILTER)
+ if flags.TAP {
+ ret |= linux.IFF_TAP
+ }
+ if flags.TUN {
+ ret |= linux.IFF_TUN
+ }
+ if flags.NoPacketInfo {
+ ret |= linux.IFF_NO_PI
+ }
+ return ret
+}
+
+// LinuxToTUNFlags converts Linux TUN flags to a tun.Flags.
+func LinuxToTUNFlags(flags uint16) (tun.Flags, error) {
+ // Linux adds IFF_NOFILTER (the same value as IFF_NO_PI unfortunately)
+ // when there is no sk_filter. See __tun_chr_ioctl() in
+ // net/drivers/tun.c.
+ if flags&^uint16(linux.IFF_TUN|linux.IFF_TAP|linux.IFF_NO_PI) != 0 {
+ return tun.Flags{}, syserror.EINVAL
+ }
+ return tun.Flags{
+ TUN: flags&linux.IFF_TUN != 0,
+ TAP: flags&linux.IFF_TAP != 0,
+ NoPacketInfo: flags&linux.IFF_NO_PI != 0,
+ }, nil
+}