From patchwork Mon May 25 14:36:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 4968 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:788e:b0:861:c897:cb9d with SMTP id d14csp2474086max; Mon, 25 May 2026 07:36:39 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ+nObvdWbfEnofHfqlOznFtbh/AHTLUHPsldrIJuRuVmgcdmrDEa5lP1Kh6Cw/T/Zicf3U7wk8dgrw=@openvpn.net X-Received: by 2002:a05:6870:a48f:b0:36e:8381:db00 with SMTP id 586e51a60fabf-43b5aa4536fmr8259963fac.9.1779719799176; Mon, 25 May 2026 07:36:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779719799; cv=none; d=google.com; s=arc-20240605; b=UtZFVUrd82aDHZVq8vZEoeWubBBV0XTgljcHiOYCBsSL2N08xY9Gi1cQ1wFXkBeeyR T4s5JnhT7aCj8wj1OqK0toWOeRMGrAQQK+flpm4nuJVGDHx/PL+Xk8jwq+i00h6dkytE 0eC33QI6/61iXDkWVlty02xUCsGGYKnJkUOfcr4qEV16lwvicjCuvvwJw8k3pAbHBror vJW7xjH7SSno2zPSHjtIOvK89F1LMlUbhY43MLP7WTBMGjpmQkyWzqkqvLc986CTLoER i7QuFpy/swP3DSw8H4PFqR7x0u+kkptf/DEasBTk8/7dzg1n/XM5ZF+IINGZLtLWh4hR wgCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature:dkim-signature; bh=bjc4evmBYcdtZ3E4X28Jl6mzjpVicz6yHdnGyVQvQGc=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=EyAzD4dWPKwEui546LGsk1F0lg5kpvIcwjF4GvrCZ4dD82PGikVhH+EjcFJIDjlFYu 0pEVUXndE8KvQNvmPLl3zekz0DCF0nKl85gsYrzPuBBid8FloIxZ299/qO78LmOd3wd/ OiBBVHoCuLq3jbLhh8XP9iSD07py4KwZoNbdV/1OoqrqP1aluIvv//q90zdvyrTh7fgi 4DhPJydKrtxAz7c3oz2uOV5NSj6Tdor9rjm+WixUPSpdoLuv/IUTlAygLgf7qjbgjtXm HXCHojE2jRhq3ahmvsuAU2gTyqIGgJS+Z+IpQXNjFePbeJNXU0R10YZVhsE8d34p8WzM qTIQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Us5TebFH; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=d6Krpd1W; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="dJcCK/m6"; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=zM1HEkBP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-43b63504b38si8184341fac.66.2026.05.25.07.36.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 May 2026 07:36:39 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Us5TebFH; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=d6Krpd1W; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="dJcCK/m6"; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=zM1HEkBP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=bjc4evmBYcdtZ3E4X28Jl6mzjpVicz6yHdnGyVQvQGc=; b=Us5TebFHf04YCAZ4nDkQlCe4I4 y3WQC5a77sQfgzTijTr7LeIlH05Vmvbls8wdjSKtZFHu+GvQJDEGIO7iOf1rvPdCalp3DSIqwlPKf 2jWTdO8HbzOvMuTH0KMRpaf0iXr130g0iCjJyPfANGpVhsopaInkYf/1x2x2O8Thzipg=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wRWPw-0005FJ-9I; Mon, 25 May 2026 14:36:32 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wRWPh-0005Eq-Vl for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Yn5lMf+dtMIp74+rxo4pjLI51f9UJ8t9jKKiigAjqwY=; b=d6Krpd1WMx+vTI6hTKIOyeTRvJ ds/VQFWInPod0a6/DDumPPQZFBuqULs0ZR9X9vdwJIx66XEhkywZTI/nRZ/+0Mw2izIu+hOWKoZos 5w2xFGtjgmYMS9En457z3TxxMHc1Lg1vrYbsM3mfzlOlPqQDwRReouRajyWtxISdP/Wo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Yn5lMf+dtMIp74+rxo4pjLI51f9UJ8t9jKKiigAjqwY=; b=d JcCK/m6USw9LgDL+JHgfG0qDqxU2HhGOirN3KxNTDf1zNkBh35ZL0a7XzumTvdWyQZNxtcuDs5M15 Oq++Pbj0+P0PDoqg4Dn6Drg42FHdxPKytKYgt3wlepYfPHIRI/s7o8ebRxBsvPVT2oLl4/3VCAYsf H0K/QcLfPUvnUUnA=; Received: from mout-p-102.mailbox.org ([80.241.56.152]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wRWPg-0003ox-3e for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:17 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4gPJN84ysmz9vH3; Mon, 25 May 2026 16:36:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1779719768; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Yn5lMf+dtMIp74+rxo4pjLI51f9UJ8t9jKKiigAjqwY=; b=zM1HEkBPUBrEinoL1e94ldct0LV09tEC1YP0QQ5zQtp0x4S61APPoqQimsQanASed1pHpg S3JiyWqOqycd3AE5XQ/yrJIhE8l33h8N156ZeTJT8F0ZHS3aEufcKZYjHGK5ogAMaIpSot Ul4DwCUQGHHMRqVOlMv1yxMZjKWTR63qFpgM6fNJWweFG/VmtGtnCQiofKmn5xxB8XSwR/ YdmeZ3/XOuPGYhOHqOsAqySNyVSUZ6wyFBEEJr7W992AAjDVOsjzdpKRWAiO4DALkiO3WP N92ovH3b8HydARoEkKSppJTSYhMd37UDxvUbKXtTqk56geCPyONoKpoixDY0bg== From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 May 2026 16:36:03 +0200 Message-ID: <20260525143606.1532168-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli Since commit 64f5f0062d77 ("ovpn: netlink - check CAP_NET_ADMIN in source namespace only") an unprivileged userns owner can drive every ovpn genetlink op and, without further mitigation, pin arbitrary [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1wRWPg-0003ox-3e Subject: [Openvpn-devel] [PATCH 1/4] ovpn: account user-triggered allocations to memcg X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1866171467967111186 X-GMAIL-MSGID: 1866171467967111186 From: Antonio Quartulli Since commit 64f5f0062d77 ("ovpn: netlink - check CAP_NET_ADMIN in source namespace only") an unprivileged userns owner can drive every ovpn genetlink op and, without further mitigation, pin arbitrary amounts of kernel memory by creating interfaces, peers and key slots in a loop. Tag the affected allocations with __GFP_ACCOUNT so they are charged to the caller's cgroup and capped by memory.max: ovpn_peer, ovpn_socket, the ~128 KiB MP peer hashtable, the crypto key slot, the per-peer dst_cache and netdev trackers, and ovpn_bind when allocated from process context. ovpn_bind_from_sockaddr() and ovpn_peer_reset_sockaddr() now take an explicit gfp_t. The RX float path runs in softirq, where 'current' is unrelated to the userns owner, so it passes plain GFP_ATOMIC and accepts that those binds go unaccounted. Per-packet datapath allocations are out of scope: short-lived and traffic-driven. Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/bind.c | 12 ++++++++++-- drivers/net/ovpn/bind.h | 3 ++- drivers/net/ovpn/crypto_aead.c | 2 +- drivers/net/ovpn/main.c | 2 +- drivers/net/ovpn/netlink.c | 3 ++- drivers/net/ovpn/peer.c | 18 ++++++++++++------ drivers/net/ovpn/peer.h | 2 +- drivers/net/ovpn/socket.c | 4 ++-- 8 files changed, 31 insertions(+), 15 deletions(-) diff --git a/drivers/net/ovpn/bind.c b/drivers/net/ovpn/bind.c index e42b60cd04a9..a8e9a417e2bf 100644 --- a/drivers/net/ovpn/bind.c +++ b/drivers/net/ovpn/bind.c @@ -17,10 +17,18 @@ /** * ovpn_bind_from_sockaddr - retrieve binding matching sockaddr * @ss: the sockaddr to match + * @gfp: GFP flags for the allocation. All callers reach this function with + * peer->lock (a spinlock) held, so the GFP must be atomic regardless of + * the outer context. Callers in process context (e.g. netlink handlers) + * should additionally OR in __GFP_ACCOUNT so the charge lands on the + * caller's memcg; callers on the RX float path (softirq, where current + * is unrelated to the userns owner) must pass plain GFP_ATOMIC to avoid + * mis-accounting to a random cgroup. * * Return: the bind matching the passed sockaddr if found, NULL otherwise */ -struct ovpn_bind *ovpn_bind_from_sockaddr(const struct sockaddr_storage *ss) +struct ovpn_bind *ovpn_bind_from_sockaddr(const struct sockaddr_storage *ss, + gfp_t gfp) { struct ovpn_bind *bind; size_t sa_len; @@ -32,7 +40,7 @@ struct ovpn_bind *ovpn_bind_from_sockaddr(const struct sockaddr_storage *ss) else return ERR_PTR(-EAFNOSUPPORT); - bind = kzalloc_obj(*bind, GFP_ATOMIC); + bind = kzalloc_obj(*bind, gfp); if (unlikely(!bind)) return ERR_PTR(-ENOMEM); diff --git a/drivers/net/ovpn/bind.h b/drivers/net/ovpn/bind.h index 4e0b8398bfd9..cda8c4888a35 100644 --- a/drivers/net/ovpn/bind.h +++ b/drivers/net/ovpn/bind.h @@ -95,7 +95,8 @@ static inline bool ovpn_bind_skb_src_match(const struct ovpn_bind *bind, return true; } -struct ovpn_bind *ovpn_bind_from_sockaddr(const struct sockaddr_storage *sa); +struct ovpn_bind *ovpn_bind_from_sockaddr(const struct sockaddr_storage *sa, + gfp_t gfp); void ovpn_bind_reset(struct ovpn_peer *peer, struct ovpn_bind *bind); #endif /* _NET_OVPN_OVPNBIND_H_ */ diff --git a/drivers/net/ovpn/crypto_aead.c b/drivers/net/ovpn/crypto_aead.c index 8f07c418622b..0a3c93d198fe 100644 --- a/drivers/net/ovpn/crypto_aead.c +++ b/drivers/net/ovpn/crypto_aead.c @@ -414,7 +414,7 @@ ovpn_aead_crypto_key_slot_new(const struct ovpn_key_config *kc) return ERR_PTR(-EINVAL); /* build the key slot */ - ks = kmalloc_obj(*ks); + ks = kmalloc_obj(*ks, GFP_KERNEL_ACCOUNT); if (!ks) return ERR_PTR(-ENOMEM); diff --git a/drivers/net/ovpn/main.c b/drivers/net/ovpn/main.c index 9993c1dfe471..425f4367f0ab 100644 --- a/drivers/net/ovpn/main.c +++ b/drivers/net/ovpn/main.c @@ -57,7 +57,7 @@ static int ovpn_mp_alloc(struct ovpn_priv *ovpn) /* the peer container is fairly large, therefore we allocate it only in * MP mode */ - ovpn->peers = kzalloc_obj(*ovpn->peers); + ovpn->peers = kzalloc_obj(*ovpn->peers, GFP_KERNEL_ACCOUNT); if (!ovpn->peers) return -ENOMEM; diff --git a/drivers/net/ovpn/netlink.c b/drivers/net/ovpn/netlink.c index 4c66c1ec497e..893dccdfaf64 100644 --- a/drivers/net/ovpn/netlink.c +++ b/drivers/net/ovpn/netlink.c @@ -295,7 +295,8 @@ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, local_ip = ovpn_nl_attr_local_ip(attrs); /* set peer sockaddr */ - ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip); + ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip, + GFP_ATOMIC | __GFP_ACCOUNT); if (ret < 0) { NL_SET_ERR_MSG_FMT_MOD(info->extack, "cannot set peer sockaddr: %d", diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index a09d61296425..511a7ce9b32b 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -95,7 +95,7 @@ struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id) int ret; /* alloc and init peer object */ - peer = kzalloc_obj(*peer); + peer = kzalloc_obj(*peer, GFP_KERNEL_ACCOUNT); if (!peer) return ERR_PTR(-ENOMEM); @@ -117,7 +117,7 @@ struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id) ovpn_peer_stats_init(&peer->link_stats); INIT_WORK(&peer->keepalive_work, ovpn_peer_keepalive_send); - ret = dst_cache_init(&peer->dst_cache, GFP_KERNEL); + ret = dst_cache_init(&peer->dst_cache, GFP_KERNEL_ACCOUNT); if (ret < 0) { netdev_err(ovpn->dev, "cannot initialize dst cache for peer %u\n", @@ -126,7 +126,7 @@ struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id) return ERR_PTR(ret); } - netdev_hold(ovpn->dev, &peer->dev_tracker, GFP_KERNEL); + netdev_hold(ovpn->dev, &peer->dev_tracker, GFP_KERNEL_ACCOUNT); return peer; } @@ -136,12 +136,14 @@ struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id) * @peer: peer to recreate the binding for * @ss: sockaddr to use as remote endpoint for the binding * @local_ip: local IP for the binding + * @gfp: GFP flags for the bind allocation. See ovpn_bind_from_sockaddr() for + * the accounting trade-off between process-context and softirq callers. * * Return: 0 on success or a negative error code otherwise */ int ovpn_peer_reset_sockaddr(struct ovpn_peer *peer, const struct sockaddr_storage *ss, - const void *local_ip) + const void *local_ip, gfp_t gfp) { struct ovpn_bind *bind; size_t ip_len; @@ -149,7 +151,7 @@ int ovpn_peer_reset_sockaddr(struct ovpn_peer *peer, lockdep_assert_held(&peer->lock); /* create new ovpn_bind object */ - bind = ovpn_bind_from_sockaddr(ss); + bind = ovpn_bind_from_sockaddr(ss, gfp); if (IS_ERR(bind)) return PTR_ERR(bind); @@ -281,9 +283,13 @@ void ovpn_peer_endpoints_update(struct ovpn_peer *peer, struct sk_buff *skb) if (likely(!salen)) goto unlock; + /* RX float path runs in softirq context: __GFP_ACCOUNT would charge + * whatever cgroup is on-CPU when the packet arrives, not the userns + * owner, so pass plain GFP_ATOMIC and skip accounting on this path. + */ if (unlikely(ovpn_peer_reset_sockaddr(peer, (struct sockaddr_storage *)&ss, - local_ip) < 0)) + local_ip, GFP_ATOMIC) < 0)) goto unlock; net_dbg_ratelimited("%s: peer %d floated to %pIScp", diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h index 86c8cffada6d..1bfc66821739 100644 --- a/drivers/net/ovpn/peer.h +++ b/drivers/net/ovpn/peer.h @@ -159,6 +159,6 @@ void ovpn_peer_keepalive_work(struct work_struct *work); void ovpn_peer_endpoints_update(struct ovpn_peer *peer, struct sk_buff *skb); int ovpn_peer_reset_sockaddr(struct ovpn_peer *peer, const struct sockaddr_storage *ss, - const void *local_ip); + const void *local_ip, gfp_t gfp); #endif /* _NET_OVPN_OVPNPEER_H_ */ diff --git a/drivers/net/ovpn/socket.c b/drivers/net/ovpn/socket.c index 517caa64a4fe..45d6a497bffb 100644 --- a/drivers/net/ovpn/socket.c +++ b/drivers/net/ovpn/socket.c @@ -191,7 +191,7 @@ struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer) /* socket is not owned: attach to this ovpn instance */ - ovpn_sock = kzalloc_obj(*ovpn_sock); + ovpn_sock = kzalloc_obj(*ovpn_sock, GFP_KERNEL_ACCOUNT); if (!ovpn_sock) { ovpn_sock = ERR_PTR(-ENOMEM); goto sock_release; @@ -213,7 +213,7 @@ struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer) */ ovpn_sock->ovpn = peer->ovpn; netdev_hold(peer->ovpn->dev, &ovpn_sock->dev_tracker, - GFP_KERNEL); + GFP_KERNEL_ACCOUNT); } /* the newly created ovpn_socket is holding reference to sk, From patchwork Mon May 25 14:36:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 4969 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:788e:b0:861:c897:cb9d with SMTP id d14csp2474125max; Mon, 25 May 2026 07:36:44 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ+X2Ase8YLcioEbuyy4cSTC/dm/3KRr8XKMtUYOXO+HgoLww8QUIxbLSByZ++d3L7l0ueCRA68XBXc=@openvpn.net X-Received: by 2002:a05:6808:c2ab:b0:467:e3d5:8389 with SMTP id 5614622812f47-4854af1067fmr6929193b6e.20.1779719804434; Mon, 25 May 2026 07:36:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779719804; cv=none; d=google.com; s=arc-20240605; b=hkYLaUcKCoyS8NYpBcx8WfFqf2SB69ISIdJqT5ne2rxtKJ/XTLj2WcFQzbcuTkRFoh S75dmSp0l9S/tv6soHmOsoeVp2nQqW4Cs/mnKw8e76FAsxlRLngAzbSzBkm8oKpZbHb3 uzDyBiLz3SqKs+xV8OUh0kpHaxBAx2sX5405hba7uT9tOaGCws/vrZpfvc4xBOTs+V6+ wlP7y6l0UIQ7CHaq+TLeV1AzUuBdxDMoL19zP6k61QO5C6e3XIpvDuWkU+ATGxt7XF2k kSHlnPT3r2ym3RHPeOPz6HV8aZrCpop5s8zf0Uqq+kuqGpTfPJoC7HGxLF/hxYOhCiG2 j7Fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=4YY8qdS0xyfdYOH+ZYd9HzFqgCWz0e5RbBdw2BAZljw=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=IBbiYH0y7ODttHIFGLqUlt9KA6NZLteKCWWzpn+sFB0SDkl3kztU2iox04w3advFdR yKJp3+t/OeIsKWpWCnsNcOazxSpRxHPGB5zI4Rm0Lf4mgp85q2IQF/kdnyJITcHPtrlM z3Of0nkvI1FL1ub5H+j9h6rnnkF0xYpBi110ClRqef5hopklh1rBrYrqNCC9YAG4F7tE HlfafZahZeGqDuLFuhhSXP2EEYVC7e/brWW2TnrDvDP3/aRrM31JCz96j7CgXBy8zmKQ gsWnNiLyl4hRR8GpmTzfr4Hv81kgxEY5tQH93hB4zQIGJul7ddnc5s29kMF34lXBDz12 PcoQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="mNrB/15K"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iO4DJCgB; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=bz7TkJYn; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=lc5dvxMy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-48554542953si5416972b6e.54.2026.05.25.07.36.44 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 May 2026 07:36:44 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="mNrB/15K"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iO4DJCgB; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=bz7TkJYn; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=lc5dvxMy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=4YY8qdS0xyfdYOH+ZYd9HzFqgCWz0e5RbBdw2BAZljw=; b=mNrB/15KL7UAXGPD8ASdkSsvFE qXlC8qWRFiP89WzS2/JKTMusEFLS4fL1PC1kAzzFIiPL+2ViJumavH5j3OF63eWOcPlKJEbHyjMIB JQ8taMOyZneZdpbGJS1hvORlfdF2b9HMPKYgxwk0EfFZRqlC25WeBoV1fg94d0Va11C4=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wRWPx-0006PE-Rt; Mon, 25 May 2026 14:36:31 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wRWPw-0006JH-B8 for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tHRadf2QJQEdsGXYAW31WSywdtNO+52smVfJINAQskw=; b=iO4DJCgBgE2HHkKd4lWcgzyLJa x8YVVnrJsDdCgLMQKvDipeN15tLMy0+Z/AdtFlLRG3XEPpB0kISWfHYypWB63m2OkCYp0dvaOxMlm JKOyYgxY1NFP4EvOUtVeuCe15KSoHD5Qe1xT0GNe/dtOBqq6FeImuALslNwlk4VYm8Eg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tHRadf2QJQEdsGXYAW31WSywdtNO+52smVfJINAQskw=; b=bz7TkJYn9OmUkQvO5Wvda1t6hB e6LNH7vzQapKwYahQN1XF5LtVDb9mA5ZrujZPWX0IyRCBqPBVNOcFMSrsrZhq7AuCgR84bqDKcPLq RNw/yLdKmDc0tLTOPqC9HmW2zfvHvb6PbvffGxX/LnfDqagd8dUFI2/UXp+l/u2kGj1s=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wRWPl-0003pN-OY for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:23 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4gPJN92KxCz9sX2; Mon, 25 May 2026 16:36:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1779719769; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tHRadf2QJQEdsGXYAW31WSywdtNO+52smVfJINAQskw=; b=lc5dvxMy+AL7fAj/3Tb3u0thOHJgjWI3X/vbmM7dAinpx7Vw/OaeklNKV2avX6SMTEAgWL 4kopmWt7VYMQPw6KxaliNDJXOPQKZaS8l3MFew4cgGKDkq4r58hWk8E6XFrwdKoU9VOd1l eGBoCRl533amMgzBP+GPGfyq14a/yCX22cTZTURA22yodSU+fh/4LQo9v05o+Gi/N04/aC yWQ7g8pPNytqwt3oaDVvjqxTWQTKNeWrovc/64aODThcvH4bHLjsVULoDKDUNJy4t4s9aI +WBQOCFMqZPWPYJLPGjGv9WHL/owmGMhlRTDk4jSsW7m9ZugHlWbRDjhtQ8MZQ== From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 May 2026 16:36:04 +0200 Message-ID: <20260525143606.1532168-2-a@unstable.cc> In-Reply-To: <20260525143606.1532168-1-a@unstable.cc> References: <20260525143606.1532168-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli Memcg accounting bounds user-driven peer creation only when the calling cgroup has memory.max set; on unconstrained hosts it isn't a hard limit. Track the live peer count in ovpn_peer_collection::n_peers under the existing ovpn->lock and reject OVPN_CMD_PEER_NEW with -ENOSPC once OVPN_MAX_PEERS (65535) is reached. 65535 matches what userspace [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1wRWPl-0003pN-OY Subject: [Openvpn-devel] [PATCH 2/4] ovpn: cap number of peers per multi-peer interface X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1866171473789925560 X-GMAIL-MSGID: 1866171473789925560 From: Antonio Quartulli Memcg accounting bounds user-driven peer creation only when the calling cgroup has memory.max set; on unconstrained hosts it isn't a hard limit. Track the live peer count in ovpn_peer_collection::n_peers under the existing ovpn->lock and reject OVPN_CMD_PEER_NEW with -ENOSPC once OVPN_MAX_PEERS (65535) is reached. 65535 matches what userspace OpenVPN servers configure via --max-clients. P2P mode is unaffected. The same cap also bounds the unaccounted RX-float bind allocations, since binds are owned by peers. Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/ovpnpriv.h | 3 +++ drivers/net/ovpn/peer.c | 9 +++++++++ drivers/net/ovpn/peer.h | 8 ++++++++ 3 files changed, 20 insertions(+) diff --git a/drivers/net/ovpn/ovpnpriv.h b/drivers/net/ovpn/ovpnpriv.h index 5898f6adada7..113f5f493575 100644 --- a/drivers/net/ovpn/ovpnpriv.h +++ b/drivers/net/ovpn/ovpnpriv.h @@ -24,12 +24,15 @@ * rehashed on the fly due to peer IP change) * @by_transp_addr: table of peers indexed by transport address (items can be * rehashed on the fly due to peer IP change) + * @n_peers: number of peers currently in the collection, protected by + * ovpn_priv->lock */ struct ovpn_peer_collection { DECLARE_HASHTABLE(by_id, 12); struct hlist_nulls_head by_vpn_addr4[1 << 12]; struct hlist_nulls_head by_vpn_addr6[1 << 12]; struct hlist_nulls_head by_transp_addr[1 << 12]; + u32 n_peers; }; /** diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c index 511a7ce9b32b..1d564888479a 100644 --- a/drivers/net/ovpn/peer.c +++ b/drivers/net/ovpn/peer.c @@ -286,6 +286,8 @@ void ovpn_peer_endpoints_update(struct ovpn_peer *peer, struct sk_buff *skb) /* RX float path runs in softirq context: __GFP_ACCOUNT would charge * whatever cgroup is on-CPU when the packet arrives, not the userns * owner, so pass plain GFP_ATOMIC and skip accounting on this path. + * The number of bind objects that can accumulate via float events is + * bounded by the per-MP peer cap, since binds are owned by peers. */ if (unlikely(ovpn_peer_reset_sockaddr(peer, (struct sockaddr_storage *)&ss, @@ -703,6 +705,7 @@ static void ovpn_peer_remove(struct ovpn_peer *peer, hlist_nulls_del_init_rcu(&peer->hash_entry_addr4); hlist_nulls_del_init_rcu(&peer->hash_entry_addr6); hlist_nulls_del_init_rcu(&peer->hash_entry_transp_addr); + peer->ovpn->peers->n_peers--; break; case OVPN_MODE_P2P: /* prevent double remove */ @@ -959,6 +962,11 @@ static int ovpn_peer_add_mp(struct ovpn_priv *ovpn, struct ovpn_peer *peer) goto out; } + if (ovpn->peers->n_peers >= OVPN_MAX_PEERS) { + ret = -ENOSPC; + goto out; + } + bind = rcu_dereference_protected(peer->bind, true); /* peers connected via TCP have bind == NULL */ if (bind) { @@ -994,6 +1002,7 @@ static int ovpn_peer_add_mp(struct ovpn_priv *ovpn, struct ovpn_peer *peer) sizeof(peer->id))); ovpn_peer_hash_vpn_ip(peer); + ovpn->peers->n_peers++; out: spin_unlock_bh(&ovpn->lock); return ret; diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h index 1bfc66821739..2efc782130f3 100644 --- a/drivers/net/ovpn/peer.h +++ b/drivers/net/ovpn/peer.h @@ -17,6 +17,14 @@ #include "socket.h" #include "stats.h" +/* Hard cap on number of peers per MP-mode interface. Caps the worst-case + * kernel memory an unprivileged userns owner driving OVPN_CMD_PEER_NEW can + * pin even when memcg accounting is unconstrained. 65535 matches what + * mainstream userspace OpenVPN servers configure via --max-clients, so + * legitimate deployments never hit this. + */ +#define OVPN_MAX_PEERS 65535 + /** * struct ovpn_peer - the main remote peer object * @ovpn: main openvpn instance this peer belongs to From patchwork Mon May 25 14:36:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 4967 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:788e:b0:861:c897:cb9d with SMTP id d14csp2474089max; Mon, 25 May 2026 07:36:39 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ9uMjMk03jfXyZTLVWLo34qP+pi7Hfg4Pg7nnmY3pSOo3bLuUPxta8lfmxWvPeAl53r12A5OtsyAek=@openvpn.net X-Received: by 2002:a05:6870:5116:b0:42c:1205:ef1 with SMTP id 586e51a60fabf-43b5adb0c7fmr8958763fac.25.1779719799354; Mon, 25 May 2026 07:36:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779719799; cv=none; d=google.com; s=arc-20240605; b=i7zpm5k20PiYMgzecKLBgH4kj5csKqZNo0a9KZEdWq9fVDZhRnCf192aqwgi/eQ/91 W2Kq0IVJHosveykDLuPuFwOYWPWRppB8X9SjzmnVlQhev8xYAMFYPanwgxOrgnV7jjLM TvS9zEUxD7Iv75U6CMkzf4VuV+SHjgH0LTizLUdcEq1+Iox44Pg2rp1HxfIxln5I4T7N na6obN9YBOGyvhzn9LbvikHfNILuMcKQoeARC2H6mu4jd2Vni7Vk+gAJZrtDGa9yenBq iJflrqkNph1QVZ8HV7iK1TFVepYC2ACrshFIlyHbE+iXKBGzh9zyoMZuNbUQ9iTyjYmW 5qtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=1s0W5+KSDT8fh8DlDW/PDkMbvvigyXTsSDNp3IeXmQ4=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=FDRgFgjse0CcUSdeM4bbDBdySHbvwYuJm6cHYscJjCuzfPUs2Sam5UcE+aYiSo57vZ yBYtWgIkQWrA2p2/MzTGfnd8s6+j5XxEd4Iues1vpMzxxs3O9mydA8CHXBqUVjMzHHJO MEN7E/G79ODKT5vi9ox7O9aqrahQFk0OnmIliCWb9z88+1LgYT/lKLMzzW53opX9bo7I f9pE5SqfCNvp+Ar2y8SKQ8To1qDVc+DoISSZNMBz94a7TAA2xbPVr2fgAU9NExgL72Ie ULVsRFpuRf1M25/WWqJ/VhgwAyMrolOeMfJoX8fbP7be2rrnCNY4JIY9UdkYY2MKPTz0 DJjg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=QpEyHlCa; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=crxvxFLl; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="X6MlQ/lU"; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=GD5IwS7T; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-43b63bd5d19si8329238fac.214.2026.05.25.07.36.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 May 2026 07:36:39 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=QpEyHlCa; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=crxvxFLl; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="X6MlQ/lU"; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=GD5IwS7T; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=1s0W5+KSDT8fh8DlDW/PDkMbvvigyXTsSDNp3IeXmQ4=; b=QpEyHlCaqzSO6mJIohNOVZZ6+u SKYiSA49RVx8E83/nEa6pNuCsdv8a6GPYtF4Auei9c8oxi5t+o4ZH+VIjvQGyW2IMyzO49q0bi6Uk xLab1ML1GqHX5GY9kH8CNnZnS7NV3hvt9M8kSqUchGhbg/RpGHd9cN97+Ji7GB3a0xm8=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wRWPu-0001Cc-LB; Mon, 25 May 2026 14:36:31 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wRWPt-0001C0-2y for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3RJEfaEDNJg6717gaUTwcgxYlg32mZHgUWqZMEtXJOw=; b=crxvxFLloHk7FNrg9AwPbSjF0U iiq/w12yAJAwbvBZZPQtMWgf0+GEh6LUMz9yUSemKfUEsRds0EPLrpp77lTSTSV9s9qdpZewZRmF4 JQZBq63G+X9Yww+GyqwzzvIcIxo7glVmorub81wHaGaWK4vmLxODINgiijr6j2THwTTo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3RJEfaEDNJg6717gaUTwcgxYlg32mZHgUWqZMEtXJOw=; b=X6MlQ/lUYnaxju6ZC4Gxc+6KPV ogoys7N+BOSD5xFQTZamCIymf2PIy4+ex3eeks8h78rGwcRhDaJI6PrxjRM4d+pbybsEguBQ/lWYu 1BIbLAWNMACZml9w78E8/pITQRd363mwa4+1wILImF/bIOOj/dYfOnfXIZWMWkJVmv74=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wRWPm-0003pQ-8a for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:26 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4gPJN96HxTz9t9S; Mon, 25 May 2026 16:36:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1779719769; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3RJEfaEDNJg6717gaUTwcgxYlg32mZHgUWqZMEtXJOw=; b=GD5IwS7TlFnyudd9JW12QYSa4CTFKKgH8werKZ5E8ga4ovlVj+D79mGadOMHZhL4qyh2LM i1Th7/Fxr877hq4lDskYD9mTUghw/towGGWa62is5XySyFfBHeY6Y6wXdVkibUg+LrGTDg FVo/AiuWs+0E5JdMHSL8LqovFV38DHv2ZoJHQBJl/FjVcpUkEU+EUbH6H5DIdpR3LgoHp/ z289lnBhdPgKJ/IlsLSPXP9KYDzRU+xSyMTol/pwZZ3+HyTynPuEt0mYjSt+dML3fDjt5t /OT0QLNdi9QCYlI0yt5uXmJzyixAhSzSKhav92hS6Ar0ZykAxfBkufOVSrreWg== From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 May 2026 16:36:05 +0200 Message-ID: <20260525143606.1532168-3-a@unstable.cc> In-Reply-To: <20260525143606.1532168-1-a@unstable.cc> References: <20260525143606.1532168-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli The previous patches bound resource use within a single ovpn interface, but a userns owner can still spin many MP-mode devices, each costing ~128 KiB just for its peer hashtables. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1wRWPm-0003pQ-8a Subject: [Openvpn-devel] [PATCH 3/4] ovpn: cap number of ovpn devices per netns X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1866171468452194939 X-GMAIL-MSGID: 1866171468452194939 From: Antonio Quartulli The previous patches bound resource use within a single ovpn interface, but a userns owner can still spin many MP-mode devices, each costing ~128 KiB just for its peer hashtables. Cap the number of ovpn netdevs per netns with a compile-time constant (OVPN_MAX_DEVS, 256). The counter lives in a per-netns struct registered via register_pernet_subsys() - the framework zero-allocates and frees the storage, so no init/exit callbacks are needed. ovpn_net_init() increments and rejects with -ENOSPC past the cap; ovpn_net_uninit() decrements, keeping the counter balanced across both ndo_init failure and normal teardown. Also set dev->netns_immutable in ovpn_setup() to forbid moving an ovpn device between netns. Without it, ndo_uninit would decrement a different netns' counter than ndo_init incremented, eventually wrapping the atomic_t and defeating the cap - a userns owner with multiple child netns could trigger this on purpose. A sysctl was rejected: net.* sysctls in a non-init netns are writable by anyone with CAP_NET_ADMIN in that netns, i.e. the exact actor this cap constrains. A compile-time constant cannot be raised by an attacker; 256 is generous for any realistic deployment. Signed-off-by: Antonio Quartulli --- drivers/net/ovpn/main.c | 71 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 63 insertions(+), 8 deletions(-) diff --git a/drivers/net/ovpn/main.c b/drivers/net/ovpn/main.c index 425f4367f0ab..540ba89d81b7 100644 --- a/drivers/net/ovpn/main.c +++ b/drivers/net/ovpn/main.c @@ -14,6 +14,8 @@ #include #include #include +#include +#include #include #include @@ -26,6 +28,29 @@ #include "tcp.h" #include "udp.h" +/* Hard cap on number of ovpn netdevs per network namespace. Pairs with the + * per-MP-instance OVPN_MAX_PEERS cap to bound total kernel memory an + * unprivileged userns owner can pin via repeated `ip link add ... type ovpn` + * calls (each MP-mode device costs ~128 KiB just for its peer hashtables). + * + * This is a compile-time constant on purpose: a sysctl in net.* would be + * writable by anyone with CAP_NET_ADMIN in the namespace - i.e. exactly the + * unprivileged userns owner this cap is meant to constrain - which would + * defeat the defence. 256 is generous for any realistic deployment. + */ +#define OVPN_MAX_DEVS 256 + +struct ovpn_net { + atomic_t n_devs; +}; + +static unsigned int ovpn_net_id __read_mostly; + +static struct pernet_operations ovpn_pernet_ops = { + .id = &ovpn_net_id, + .size = sizeof(struct ovpn_net), +}; + static void ovpn_priv_free(struct net_device *net) { struct ovpn_priv *ovpn = netdev_priv(net); @@ -74,27 +99,40 @@ static int ovpn_mp_alloc(struct ovpn_priv *ovpn) static int ovpn_net_init(struct net_device *dev) { struct ovpn_priv *ovpn = netdev_priv(dev); - int err = gro_cells_init(&ovpn->gro_cells, dev); + struct ovpn_net *on = net_generic(dev_net(dev), ovpn_net_id); + int err; + + if (atomic_fetch_inc(&on->n_devs) >= OVPN_MAX_DEVS) { + atomic_dec(&on->n_devs); + return -ENOSPC; + } + err = gro_cells_init(&ovpn->gro_cells, dev); if (err < 0) - return err; + goto err_dec; err = ovpn_mp_alloc(ovpn); - if (err < 0) { - gro_cells_destroy(&ovpn->gro_cells); - return err; - } + if (err < 0) + goto err_gro; return 0; + +err_gro: + gro_cells_destroy(&ovpn->gro_cells); +err_dec: + atomic_dec(&on->n_devs); + return err; } static void ovpn_net_uninit(struct net_device *dev) { struct ovpn_priv *ovpn = netdev_priv(dev); + struct ovpn_net *on = net_generic(dev_net(dev), ovpn_net_id); disable_delayed_work_sync(&ovpn->keepalive_work); ovpn_peers_free(ovpn, NULL, OVPN_DEL_PEER_REASON_TEARDOWN); gro_cells_destroy(&ovpn->gro_cells); + atomic_dec(&on->n_devs); } static const struct net_device_ops ovpn_netdev_ops = { @@ -173,6 +211,14 @@ static void ovpn_setup(struct net_device *dev) dev->needed_headroom = ALIGN(OVPN_HEAD_ROOM, 4); dev->needed_tailroom = OVPN_MAX_PADDING; + /* forbid moving the device between network namespaces: ndo_init and + * ndo_uninit are called in the originating and current netns + * respectively, so a migrated device would dec a different netns' + * n_devs counter than the one it incremented, eventually wrapping it + * and defeating the per-netns cap. + */ + dev->netns_immutable = true; + SET_NETDEV_DEVTYPE(dev, &ovpn_type); } @@ -233,13 +279,19 @@ static struct rtnl_link_ops ovpn_link_ops = { static int __init ovpn_init(void) { - int err = rtnl_link_register(&ovpn_link_ops); + int err = register_pernet_subsys(&ovpn_pernet_ops); if (err) { - pr_err("ovpn: can't register rtnl link ops: %d\n", err); + pr_err("ovpn: can't register pernet ops: %d\n", err); return err; } + err = rtnl_link_register(&ovpn_link_ops); + if (err) { + pr_err("ovpn: can't register rtnl link ops: %d\n", err); + goto unreg_pernet; + } + err = ovpn_nl_register(); if (err) { pr_err("ovpn: can't register netlink family: %d\n", err); @@ -252,6 +304,8 @@ static int __init ovpn_init(void) unreg_rtnl: rtnl_link_unregister(&ovpn_link_ops); +unreg_pernet: + unregister_pernet_subsys(&ovpn_pernet_ops); return err; } @@ -259,6 +313,7 @@ static __exit void ovpn_cleanup(void) { ovpn_nl_unregister(); rtnl_link_unregister(&ovpn_link_ops); + unregister_pernet_subsys(&ovpn_pernet_ops); rcu_barrier(); } From patchwork Mon May 25 14:36:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 4966 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:788e:b0:861:c897:cb9d with SMTP id d14csp2474084max; Mon, 25 May 2026 07:36:39 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/mTPGcXURhdDaf4/ppGOZotKQ8hnGj0/M+ok+psrdYPfNEU15CkS5aMcSgaUCK6izxbjy2GPAGHk8=@openvpn.net X-Received: by 2002:a05:6820:3090:b0:69d:959e:3fca with SMTP id 006d021491bc7-69d959e45b6mr4796690eaf.57.1779719799166; Mon, 25 May 2026 07:36:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779719799; cv=none; d=google.com; s=arc-20240605; b=fDhZ0IPVEutWaKp+lObuLFuQ3TJVNsowh+5ng4V+JFyUfd47QNFQd1aFcLK4CrBEul 0Pr95gZ1/6S0QEgrQmoLTw9kQOQDLuwzdKyl4UQCkX7qlAGmcBVkL12wXCRt7tAIc/wq 7LrzvPUSkm0V+gwvx2i54rQcaZ5xbyT1BQQCMXyplIa6fwr8th/0bL0WW9xBMOW0KJEs jNMG14wyDfGqgFdeDNw6rv91ZcqoWTGoQTpnEIVOSxnNaBzQTSqVxgrGR0Hx3JoC6/Gy P/dipPSAqPIbP1UgI2P9yy0h7eASYaaoFNW2bpYHJblzW+cPEYMNfxHdE1nH2Wjc1chB AdFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=PiPKkgmaoyJkiydostbptZprk9P+wrQ92Kpe0YmK5tQ=; fh=BsMg/B0Yb/hS/rzP5Npz4luh0IleZm8REk1XWiWRt2A=; b=dXxb2iZyqcNCPTU82Z5a7uteyo+nXEYvruKcKcvamzIfxPKjK62gO+9qWJkSPBLNm6 5t3/FiNdrSTYk27GfpDUPI8ziwUJUkdBWx4HqtUVLXbB+YNP6tHJwzEKSmp0v5Oz3UJY hibs9ozypVL/S1BuRJ26KWHj02VRqG7qrDGnAok8rPHAf3TGRLjVosjEZCmd/fLkFtfE ijyXwCEtnrr3zupAwQui7YXbowgSviRaFdelDAqb4UKQQ8762Ng/ywI1h3yCKDCx+Byu S35v4CWcwrSFEXqK30afvfmBlszo7up4VWoz/ZEVuW9E16ojy+4p0wyByXCJ+abOlyVO NlTg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dBQd5xjQ; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iKvQhE3W; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="d9/3izTG"; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=xZWtC+P9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-69d83afc041si5865284eaf.71.2026.05.25.07.36.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 May 2026 07:36:39 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dBQd5xjQ; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=iKvQhE3W; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="d9/3izTG"; dkim=neutral (body hash did not verify) header.i=@unstable.cc header.s=MBO0001 header.b=xZWtC+P9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=PiPKkgmaoyJkiydostbptZprk9P+wrQ92Kpe0YmK5tQ=; b=dBQd5xjQBMrDxKRSn4Y/ufZuR9 ABgqFsBzcvolp992b7fZXAXqahKTN1j7BDKnonjSno3IEY4HCKXJkq8jkHjqE53JQmQI2pz9W8GBN ZfqyAu4xtNJ5t6rplD+qzRMd0WopfuXjVIStoNfF6/DAd/gxn0eT7bMIiAjXRd2xQkgM=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wRWPs-00030E-So; Mon, 25 May 2026 14:36:29 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wRWPj-0002zz-Sc for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/yDB4T864RCIAPAtZan4Cvu1ucuaOrjHc4ek6raz4PM=; b=iKvQhE3WjiWZ4YB8DVtUzodqmg z0YmL/7XUy10EOwc6GGFxgzS3g9jme+zV/zvWhtlo8LCXqK6mWxKI2HS/y+fBhg6EF3pZGXZQxdF6 p5MFsS8F5YertpIh+4Lx+PRnVMuj/AGZOBkt8+EvkImFlROmFxjHDV4sn/Ep7X701fJA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/yDB4T864RCIAPAtZan4Cvu1ucuaOrjHc4ek6raz4PM=; b=d9/3izTGzL3x12Jwpg1EfZG78m QBPqf7KFVQKysjmO7EEtVBBIdciIJb+wAjpTx/vkwKAon3vNYiHv68Mlft96hTumXeK7AMmTi1dDK RpEHuxJJP9capr3JdpWVWZIO+Y7BV6tVaShpiLxlxZr41kWZxuqSFFslH6clLYfdb7qo=; Received: from mout-p-102.mailbox.org ([80.241.56.152]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wRWPi-0003pE-Vt for openvpn-devel@lists.sourceforge.net; Mon, 25 May 2026 14:36:20 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4gPJNB3ypqz9vJR; Mon, 25 May 2026 16:36:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unstable.cc; s=MBO0001; t=1779719770; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/yDB4T864RCIAPAtZan4Cvu1ucuaOrjHc4ek6raz4PM=; b=xZWtC+P9Fgc0mB2PLsuThNnQnS9gFD4czcGTf+CZFO5l45JrrQ5iwWyIfs6G0wKucbB1Ol RWTVaD/iPOwEG8jKcwaAaU8WxtwOgHLr+jd0Ry/3F/oJRRk9zrzna9Fko8NK6dNaBsbArf XbUWeQ5Xzx8VWNHnJ23Rh0XHDbcSgCUr+jd4ig7xT7oNZovBeqzLOrkb0cBfRB76kIrR3K bfvzdYSjjfBYQbLLmWQyqmZkegXRzyj2pp6oOnOsSj/FQVqwcUEqCUUHQoblPDLdxePmfJ ggQYsjkdVzwcrvsChll0bdERw4NYUpLPWFLjNPnClwPGLr7dxs93PuhBCExJlQ== From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 May 2026 16:36:06 +0200 Message-ID: <20260525143606.1532168-4-a@unstable.cc> In-Reply-To: <20260525143606.1532168-1-a@unstable.cc> References: <20260525143606.1532168-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli Netlink API calls can be allowed as long as the user has CAP_NET_ADMIN in the source namespace. There is no need to enforce broader capabilities. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1wRWPi-0003pE-Vt Subject: [Openvpn-devel] [PATCH 4/4] ovpn: netlink - check CAP_NET_ADMIN in source namespace only X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1866171468210621567 X-GMAIL-MSGID: 1866171468210621567 From: Antonio Quartulli Netlink API calls can be allowed as long as the user has CAP_NET_ADMIN in the source namespace. There is no need to enforce broader capabilities. Therefore switch to GENL_UNS_ADMIN_PERM for all netlink ops. Closes: https://github.com/OpenVPN/ovpn-net-next/issues/33 Signed-off-by: Antonio Quartulli --- Documentation/netlink/specs/ovpn.yaml | 16 ++++++++-------- drivers/net/ovpn/netlink-gen.c | 18 +++++++++--------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/Documentation/netlink/specs/ovpn.yaml b/Documentation/netlink/specs/ovpn.yaml index b0c782e59a32..5d1f71b2ff78 100644 --- a/Documentation/netlink/specs/ovpn.yaml +++ b/Documentation/netlink/specs/ovpn.yaml @@ -397,7 +397,7 @@ operations: - name: peer-new attribute-set: ovpn-peer-new-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Add a remote peer do: pre: ovpn-nl-pre-doit @@ -409,7 +409,7 @@ operations: - name: peer-set attribute-set: ovpn-peer-set-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: modify a remote peer do: pre: ovpn-nl-pre-doit @@ -421,7 +421,7 @@ operations: - name: peer-get attribute-set: ovpn - flags: [admin-perm] + flags: [uns-admin-perm] doc: Retrieve data about existing remote peers (or a specific one) do: pre: ovpn-nl-pre-doit @@ -443,7 +443,7 @@ operations: - name: peer-del attribute-set: ovpn-peer-del-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Delete existing remote peer do: pre: ovpn-nl-pre-doit @@ -461,7 +461,7 @@ operations: - name: key-new attribute-set: ovpn - flags: [admin-perm] + flags: [uns-admin-perm] doc: Add a cipher key for a specific peer do: pre: ovpn-nl-pre-doit @@ -473,7 +473,7 @@ operations: - name: key-get attribute-set: ovpn-keyconf-get - flags: [admin-perm] + flags: [uns-admin-perm] doc: Retrieve non-sensitive data about peer key and cipher do: pre: ovpn-nl-pre-doit @@ -488,7 +488,7 @@ operations: - name: key-swap attribute-set: ovpn-keyconf-swap-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Swap primary and secondary session keys for a specific peer do: pre: ovpn-nl-pre-doit @@ -507,7 +507,7 @@ operations: - name: key-del attribute-set: ovpn-keyconf-del-input - flags: [admin-perm] + flags: [uns-admin-perm] doc: Delete cipher key for a specific peer do: pre: ovpn-nl-pre-doit diff --git a/drivers/net/ovpn/netlink-gen.c b/drivers/net/ovpn/netlink-gen.c index 2147cec7c2c5..6f1237f65674 100644 --- a/drivers/net/ovpn/netlink-gen.c +++ b/drivers/net/ovpn/netlink-gen.c @@ -179,7 +179,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_new_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_SET, @@ -188,7 +188,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_set_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_GET, @@ -197,14 +197,14 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_get_do_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_PEER_GET, .dumpit = ovpn_nl_peer_get_dumpit, .policy = ovpn_peer_get_dump_nl_policy, .maxattr = OVPN_A_IFINDEX, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DUMP, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DUMP, }, { .cmd = OVPN_CMD_PEER_DEL, @@ -213,7 +213,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_peer_del_nl_policy, .maxattr = OVPN_A_PEER, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_NEW, @@ -222,7 +222,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_new_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_GET, @@ -231,7 +231,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_get_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_SWAP, @@ -240,7 +240,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_swap_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, { .cmd = OVPN_CMD_KEY_DEL, @@ -249,7 +249,7 @@ static const struct genl_split_ops ovpn_nl_ops[] = { .post_doit = ovpn_nl_post_doit, .policy = ovpn_key_del_nl_policy, .maxattr = OVPN_A_KEYCONF, - .flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO, + .flags = GENL_UNS_ADMIN_PERM | GENL_CMD_CAP_DO, }, };