https://github.com/torvalds/linux
Revision 93c647643b48f0131f02e45da3bd367d80443291 authored by Kevin Cernekee on 06 December 2017, 20:12:27 UTC, committed by David S. Miller on 11 December 2017, 16:58:18 UTC
Currently, a nlmon link inside a child namespace can observe systemwide netlink activity. Filter the traffic so that nlmon can only sniff netlink messages from its own netns. Test case: vpnns -- bash -c "ip link add nlmon0 type nlmon; \ ip link set nlmon0 up; \ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ spi 0x1 mode transport \ auth sha1 0x6162633132330000000000000000000000000000 \ enc aes 0x00000000000000000000000000000000 grep --binary abc123 /tmp/nlmon.pcap Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 2aab6b4
Tip revision: 93c647643b48f0131f02e45da3bd367d80443291 authored by Kevin Cernekee on 06 December 2017, 20:12:27 UTC
netlink: Add netns check on taps
netlink: Add netns check on taps
Tip revision: 93c6476
File | Mode | Size |
---|---|---|
bpf | ||
cgroup | ||
configs | ||
debug | ||
events | ||
gcov | ||
irq | ||
livepatch | ||
locking | ||
power | ||
printk | ||
rcu | ||
sched | ||
time | ||
trace | ||
.gitignore | -rw-r--r-- | 69 bytes |
Kconfig.freezer | -rw-r--r-- | 52 bytes |
Kconfig.hz | -rw-r--r-- | 1.6 KB |
Kconfig.locks | -rw-r--r-- | 4.8 KB |
Kconfig.preempt | -rw-r--r-- | 2.1 KB |
Makefile | -rw-r--r-- | 4.0 KB |
acct.c | -rw-r--r-- | 15.4 KB |
async.c | -rw-r--r-- | 9.9 KB |
audit.c | -rw-r--r-- | 61.6 KB |
audit.h | -rw-r--r-- | 11.0 KB |
audit_fsnotify.c | -rw-r--r-- | 6.1 KB |
audit_tree.c | -rw-r--r-- | 23.9 KB |
audit_watch.c | -rw-r--r-- | 14.6 KB |
auditfilter.c | -rw-r--r-- | 34.3 KB |
auditsc.c | -rw-r--r-- | 66.0 KB |
backtracetest.c | -rw-r--r-- | 2.1 KB |
bounds.c | -rw-r--r-- | 739 bytes |
capability.c | -rw-r--r-- | 13.9 KB |
compat.c | -rw-r--r-- | 15.7 KB |
configs.c | -rw-r--r-- | 2.8 KB |
context_tracking.c | -rw-r--r-- | 6.3 KB |
cpu.c | -rw-r--r-- | 48.1 KB |
cpu_pm.c | -rw-r--r-- | 6.0 KB |
crash_core.c | -rw-r--r-- | 11.3 KB |
crash_dump.c | -rw-r--r-- | 1.3 KB |
cred.c | -rw-r--r-- | 21.5 KB |
delayacct.c | -rw-r--r-- | 4.5 KB |
dma.c | -rw-r--r-- | 3.6 KB |
elfcore.c | -rw-r--r-- | 432 bytes |
exec_domain.c | -rw-r--r-- | 1.4 KB |
exit.c | -rw-r--r-- | 44.2 KB |
extable.c | -rw-r--r-- | 4.8 KB |
fork.c | -rw-r--r-- | 59.0 KB |
freezer.c | -rw-r--r-- | 4.4 KB |
futex.c | -rw-r--r-- | 96.5 KB |
futex_compat.c | -rw-r--r-- | 4.5 KB |
groups.c | -rw-r--r-- | 4.9 KB |
hung_task.c | -rw-r--r-- | 6.2 KB |
irq_work.c | -rw-r--r-- | 4.4 KB |
jump_label.c | -rw-r--r-- | 19.2 KB |
kallsyms.c | -rw-r--r-- | 18.0 KB |
kcmp.c | -rw-r--r-- | 5.7 KB |
kcov.c | -rw-r--r-- | 10.5 KB |
kexec.c | -rw-r--r-- | 7.0 KB |
kexec_core.c | -rw-r--r-- | 30.8 KB |
kexec_file.c | -rw-r--r-- | 25.4 KB |
kexec_internal.h | -rw-r--r-- | 924 bytes |
kmod.c | -rw-r--r-- | 5.0 KB |
kprobes.c | -rw-r--r-- | 62.8 KB |
ksysfs.c | -rw-r--r-- | 6.3 KB |
kthread.c | -rw-r--r-- | 33.3 KB |
latencytop.c | -rw-r--r-- | 7.9 KB |
memremap.c | -rw-r--r-- | 15.0 KB |
module-internal.h | -rw-r--r-- | 458 bytes |
module.c | -rw-r--r-- | 111.1 KB |
module_signing.c | -rw-r--r-- | 2.2 KB |
notifier.c | -rw-r--r-- | 16.3 KB |
nsproxy.c | -rw-r--r-- | 6.5 KB |
padata.c | -rw-r--r-- | 27.1 KB |
panic.c | -rw-r--r-- | 17.0 KB |
params.c | -rw-r--r-- | 23.2 KB |
pid.c | -rw-r--r-- | 10.6 KB |
pid_namespace.c | -rw-r--r-- | 11.6 KB |
profile.c | -rw-r--r-- | 14.8 KB |
ptrace.c | -rw-r--r-- | 32.6 KB |
range.c | -rw-r--r-- | 3.0 KB |
reboot.c | -rw-r--r-- | 13.8 KB |
relay.c | -rw-r--r-- | 32.1 KB |
resource.c | -rw-r--r-- | 39.8 KB |
seccomp.c | -rw-r--r-- | 31.4 KB |
signal.c | -rw-r--r-- | 95.8 KB |
smp.c | -rw-r--r-- | 21.3 KB |
smpboot.c | -rw-r--r-- | 13.1 KB |
smpboot.h | -rw-r--r-- | 640 bytes |
softirq.c | -rw-r--r-- | 18.8 KB |
stacktrace.c | -rw-r--r-- | 1.8 KB |
stop_machine.c | -rw-r--r-- | 17.1 KB |
sys.c | -rw-r--r-- | 60.6 KB |
sys_ni.c | -rw-r--r-- | 7.3 KB |
sysctl.c | -rw-r--r-- | 74.1 KB |
sysctl_binary.c | -rw-r--r-- | 51.0 KB |
task_work.c | -rw-r--r-- | 3.1 KB |
taskstats.c | -rw-r--r-- | 15.4 KB |
test_kprobes.c | -rw-r--r-- | 7.9 KB |
torture.c | -rw-r--r-- | 21.0 KB |
tracepoint.c | -rw-r--r-- | 14.6 KB |
tsacct.c | -rw-r--r-- | 5.1 KB |
ucount.c | -rw-r--r-- | 5.7 KB |
uid16.c | -rw-r--r-- | 5.0 KB |
umh.c | -rw-r--r-- | 15.2 KB |
up.c | -rw-r--r-- | 2.0 KB |
user-return-notifier.c | -rw-r--r-- | 1.3 KB |
user.c | -rw-r--r-- | 5.4 KB |
user_namespace.c | -rw-r--r-- | 33.3 KB |
utsname.c | -rw-r--r-- | 3.6 KB |
utsname_sysctl.c | -rw-r--r-- | 3.0 KB |
watchdog.c | -rw-r--r-- | 21.7 KB |
watchdog_hld.c | -rw-r--r-- | 7.7 KB |
workqueue.c | -rw-r--r-- | 156.0 KB |
workqueue_internal.h | -rw-r--r-- | 2.3 KB |
Computing file changes ...