aboutgitcodebugslistschat
path: root/contrib/selinux/pasta.te
diff options
context:
space:
mode:
authorDavid Gibson <david@gibson.dropbear.id.au>2024-02-12 17:06:57 +1100
committerStefano Brivio <sbrivio@redhat.com>2024-02-14 03:24:01 +0100
commit96ad5c5acdde30c43066d6d7fa846d9a2a47fb8f (patch)
tree933c4aa402be9c980b3339777eb9def8741c6315 /contrib/selinux/pasta.te
parent9f57983886e79b590d62f897ce50ac8f5cf15df9 (diff)
downloadpasst-96ad5c5acdde30c43066d6d7fa846d9a2a47fb8f.tar
passt-96ad5c5acdde30c43066d6d7fa846d9a2a47fb8f.tar.gz
passt-96ad5c5acdde30c43066d6d7fa846d9a2a47fb8f.tar.bz2
passt-96ad5c5acdde30c43066d6d7fa846d9a2a47fb8f.tar.lz
passt-96ad5c5acdde30c43066d6d7fa846d9a2a47fb8f.tar.xz
passt-96ad5c5acdde30c43066d6d7fa846d9a2a47fb8f.tar.zst
passt-96ad5c5acdde30c43066d6d7fa846d9a2a47fb8f.zip
udp: Don't prematurely (and incorrectly) set up automatic inbound forwards
For automated inbound port forwarding in pasta mode we scan bound ports within the guest namespace via /proc and bind matching ports on the host to listen for packets. For UDP this is usually handled by udp_timer() which calls port_fwd_scan_udp() followed by udp_port_rebind(). However there's one initial scan before the the UDP timer is started: we call port_fwd_scan_udp() from port_fwd_init(), and actually bind the resulting ports in udp_sock_init_init() called from udp_init(). Unfortunately, the version in udp_sock_init_init() isn't correct. It unconditionally opens a new socket for every forwarded port, even if a socket has already been explicit created with the -u option. If the explicitly forwarded ports have particular configuration (such as a specific bound address address, or one implied by the -o option) those will not be replicated in the new socket. We essentially leak the original correctly configured socket, replacing it with one which might not be right. We could make udp_sock_init_init() use udp_port_rebind() to get that right, but there's actually no point doing so: * The initial bind was introduced by ccf6d2a7b48d ("udp: Actually bind detected namespace ports in init namespace") at which time we didn't periodically scan for bound UDP ports. Periodic scanning was introduced in 457ff122e ("udp,pasta: Periodically scan for ports to automatically forward") making the bind from udp_init() redundant. * At the time of udp_init(), programs in the guest namespace are likely not to have started yet (unless attaching a pre-existing namespace) so there's likely not anything to scan for anyway. So, simply remove the initial, broken socket create/bind, allowing automatic port forwards to be created the first time udp_timer() runs. Reported-by: Laurent Jacquot <jk@lutty.net> Suggested-by: Laurent Jacquot <jk@lutty.net> Link: https://bugs.passt.top/show_bug.cgi?id=79 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'contrib/selinux/pasta.te')
0 files changed, 0 insertions, 0 deletions