From 10f687736b8dd538fb5e2bdacf6bef2c690ee99d Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 9 May 2018 13:57:08 -0700 Subject: [PATCH 1/2] ss: remove non-functional slabinfo Ss was using slabinfo to try and intuit TCP statistics. The slabinfo changed several times since 2.4 and all these statistics are broken by renames and slab merging. Plus slabinfo does not exist at all if kernel is compiled with SLUB option. Rather than trying to fix kernel, just trim away the no longer valid statistics. Signed-off-by: Stephen Hemminger --- misc/ss.c | 103 ++++-------------------------------------------------- 1 file changed, 6 insertions(+), 97 deletions(-) diff --git a/misc/ss.c b/misc/ss.c index 3ed7e669..41e7762b 100644 --- a/misc/ss.c +++ b/misc/ss.c @@ -474,7 +474,6 @@ static FILE *generic_proc_open(const char *env, const char *name) "net/packet") #define net_netlink_open() generic_proc_open("PROC_NET_NETLINK", \ "net/netlink") -#define slabinfo_open() generic_proc_open("PROC_SLABINFO", "slabinfo") #define net_sockstat_open() generic_proc_open("PROC_NET_SOCKSTAT", \ "net/sockstat") #define net_sockstat6_open() generic_proc_open("PROC_NET_SOCKSTAT6", \ @@ -728,67 +727,6 @@ next: return cnt; } -/* Get stats from slab */ - -struct slabstat { - int socks; - int tcp_ports; - int tcp_tws; - int tcp_syns; - int skbs; -}; - -static struct slabstat slabstat; - -static int get_slabstat(struct slabstat *s) -{ - char buf[256]; - FILE *fp; - int cnt; - static int slabstat_valid; - static const char * const slabstat_ids[] = { - "sock", - "tcp_bind_bucket", - "tcp_tw_bucket", - "tcp_open_request", - "skbuff_head_cache", - }; - - if (slabstat_valid) - return 0; - - memset(s, 0, sizeof(*s)); - - fp = slabinfo_open(); - if (!fp) - return -1; - - cnt = sizeof(*s)/sizeof(int); - - if (!fgets(buf, sizeof(buf), fp)) { - fclose(fp); - return -1; - } - while (fgets(buf, sizeof(buf), fp) != NULL) { - int i; - - for (i = 0; i < ARRAY_SIZE(slabstat_ids); i++) { - if (memcmp(buf, slabstat_ids[i], strlen(slabstat_ids[i])) == 0) { - sscanf(buf, "%*s%d", ((int *)s) + i); - cnt--; - break; - } - } - if (cnt <= 0) - break; - } - - slabstat_valid = 1; - - fclose(fp); - return 0; -} - static unsigned long long cookie_sk_get(const uint32_t *cookie) { return (((unsigned long long)cookie[1] << 31) << 1) | cookie[0]; @@ -3372,7 +3310,7 @@ static int tcp_show(struct filter *f) { FILE *fp = NULL; char *buf = NULL; - int bufsize = 64*1024; + int bufsize = 1024*1024; if (!filter_af_get(f, AF_INET) && !filter_af_get(f, AF_INET6)) return 0; @@ -3387,27 +3325,6 @@ static int tcp_show(struct filter *f) return 0; /* Sigh... We have to parse /proc/net/tcp... */ - - - /* Estimate amount of sockets and try to allocate - * huge buffer to read all the table at one read. - * Limit it by 16MB though. The assumption is: as soon as - * kernel was able to hold information about N connections, - * it is able to give us some memory for snapshot. - */ - if (1) { - get_slabstat(&slabstat); - - int guess = slabstat.socks+slabstat.tcp_syns; - - if (f->states&(1< (16*1024*1024)/128) - guess = (16*1024*1024)/128; - guess *= 128; - if (guess > bufsize) - bufsize = guess; - } while (bufsize >= 64*1024) { if ((buf = malloc(bufsize)) != NULL) break; @@ -4666,23 +4583,15 @@ static int print_summary(void) if (get_snmp_int("Tcp:", "CurrEstab", &tcp_estab) < 0) perror("ss: get_snmpstat"); - get_slabstat(&slabstat); + printf("Total: %d\n", s.socks); - printf("Total: %d (kernel %d)\n", s.socks, slabstat.socks); - - printf("TCP: %d (estab %d, closed %d, orphaned %d, synrecv %d, timewait %d/%d), ports %d\n", - s.tcp_total + slabstat.tcp_syns + s.tcp_tws, - tcp_estab, - s.tcp_total - (s.tcp4_hashed+s.tcp6_hashed-s.tcp_tws), - s.tcp_orphans, - slabstat.tcp_syns, - s.tcp_tws, slabstat.tcp_tws, - slabstat.tcp_ports - ); + printf("TCP: %d (estab %d, closed %d, orphaned %d, timewait %d)\n", + s.tcp_total + s.tcp_tws, tcp_estab, + s.tcp_total - (s.tcp4_hashed + s.tcp6_hashed - s.tcp_tws), + s.tcp_orphans, s.tcp_tws); printf("\n"); printf("Transport Total IP IPv6\n"); - printf("* %-9d %-9s %-9s\n", slabstat.socks, "-", "-"); printf("RAW %-9d %-9d %-9d\n", s.raw4+s.raw6, s.raw4, s.raw6); printf("UDP %-9d %-9d %-9d\n", s.udp4+s.udp6, s.udp4, s.udp6); printf("TCP %-9d %-9d %-9d\n", s.tcp4_hashed+s.tcp6_hashed, s.tcp4_hashed, s.tcp6_hashed); From 9b13cc98f5952f62b825461727c8170d37a4037d Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 11 May 2018 13:39:56 +0100 Subject: [PATCH 2/2] ip: do not drop capabilities if net_admin=i is set Users have reported a regression due to ip now dropping capabilities unconditionally. zerotier-one VPN and VirtualBox use ambient capabilities in their binary and then fork out to ip to set routes and links, and this does not work anymore. As a workaround, do not drop caps if CAP_NET_ADMIN (the most common capability used by ip) is set with the INHERITABLE flag. Users that want ip vrf exec to work do not need to set INHERITABLE, which will then only set when the calling program had privileges to give itself the ambient capability. Fixes: ba2fc55b99f8 ("Drop capabilities if not running ip exec vrf with libcap") Signed-off-by: Luca Boccassi --- lib/utils.c | 15 ++++++++++++--- man/man8/ip-vrf.8 | 4 ++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/lib/utils.c b/lib/utils.c index 8a0bff0b..7b2c6dd1 100644 --- a/lib/utils.c +++ b/lib/utils.c @@ -1612,14 +1612,23 @@ void drop_cap(void) /* don't harmstring root/sudo */ if (getuid() != 0 && geteuid() != 0) { cap_t capabilities; + cap_value_t net_admin = CAP_NET_ADMIN; + cap_flag_t inheritable = CAP_INHERITABLE; + cap_flag_value_t is_set; capabilities = cap_get_proc(); if (!capabilities) exit(EXIT_FAILURE); - if (cap_clear(capabilities) != 0) - exit(EXIT_FAILURE); - if (cap_set_proc(capabilities) != 0) + if (cap_get_flag(capabilities, net_admin, inheritable, + &is_set) != 0) exit(EXIT_FAILURE); + /* apps with ambient caps can fork and call ip */ + if (is_set == CAP_CLEAR) { + if (cap_clear(capabilities) != 0) + exit(EXIT_FAILURE); + if (cap_set_proc(capabilities) != 0) + exit(EXIT_FAILURE); + } cap_free(capabilities); } #endif diff --git a/man/man8/ip-vrf.8 b/man/man8/ip-vrf.8 index 1a42cebe..c1c9b958 100644 --- a/man/man8/ip-vrf.8 +++ b/man/man8/ip-vrf.8 @@ -70,6 +70,10 @@ This command also requires to be ran as root or with the CAP_SYS_ADMIN, CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. If built with libcap and if capabilities are added to the ip binary program via setcap, the program will drop them as the first thing when invoked, unless the command is vrf exec. +.br +NOTE: capabilities will NOT be dropped if CAP_NET_ADMIN is set to INHERITABLE +to avoid breaking programs with ambient capabilities that call ip. +Do not set the INHERITABLE flag on the ip binary itself. .TP .B ip vrf identify [PID] - Report VRF association for process