Fix: Ensure that unbound Netlink sockets are bound when sending a message.

kerumeto · gvisor-bot · commit 792bb9e16bd7 · 2025-07-24T14:19:40.000-07:00
If a Netlink socket is not bound when a message is sent through it, it should
automatically be bound to assign it a unique portID. This becomes relevant
in cases where the portId is used for access verification, such as for
table owners in NETLINK_NETFILTER sockets.

PiperOrigin-RevId: 786348487
diff --git a/pkg/sentry/socket/netlink/socket.go b/pkg/sentry/socket/netlink/socket.go
@@ -796,6 +796,13 @@ func (s *Socket) sendMsg(ctx context.Context, src usermem.IOSequence, to []byte,
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
+	// An unbound socket has a port ID defaulted to 0. If it has not yet been bound,
+	// bind it to assign it a unique port ID.
+	// From net/netlink/af_netlink.c:netlink_sendmsg
+	if !s.bound {
+		s.bindPort(kernel.TaskFromContext(ctx), 0)
+	}
+
 	// For simplicity, and consistency with Linux, we copy in the entire
 	// message up front.
 	if src.NumBytes() > int64(s.sendBufferSize) {
diff --git a/test/syscalls/linux/socket_netlink_netfilter.cc b/test/syscalls/linux/socket_netlink_netfilter.cc
@@ -1966,6 +1966,89 @@ TEST(NetlinkNetfilterTest, DeleteBaseChainByHandle) {
                                            delete_chain_request_buffer.size()));
 }
 
+TEST(NetlinkNetfilterTest, ErrRetrieveTableWithOwnerMismatchUnboundSocket) {
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  const char test_table_name[] = "test_table";
+  uint32_t table_flags = NFT_TABLE_F_DORMANT | NFT_TABLE_F_OWNER;
+  uint8_t expected_udata[3] = {0x01, 0x02, 0x03};
+  FileDescriptor fd =
+      ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER));
+  FileDescriptor fd_2 = ASSERT_NO_ERRNO_AND_VALUE(
+      Socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER));
+
+  std::vector<char> add_request_buffer =
+      NlReq("newtable req ack inet")
+          .Seq(kSeq)
+          .StrAttr(NFTA_TABLE_NAME, test_table_name)
+          .U32Attr(NFTA_TABLE_FLAGS, &table_flags)
+          .RawAttr(NFTA_TABLE_USERDATA, expected_udata, sizeof(expected_udata))
+          .Build();
+
+  std::vector<char> get_request_buffer =
+      NlReq("gettable req ack inet")
+          .Seq(kSeq + 1)
+          .StrAttr(NFTA_TABLE_NAME, test_table_name)
+          .Build();
+
+  ASSERT_NO_ERRNO(NetlinkRequestAckOrError(fd, kSeq, add_request_buffer.data(),
+                                           add_request_buffer.size()));
+
+  ASSERT_THAT(
+      NetlinkRequestAckOrError(fd_2, kSeq + 1, get_request_buffer.data(),
+                               get_request_buffer.size()),
+      PosixErrorIs(EPERM, _));
+}
+
+TEST(NetlinkNetfilterTest, AddTableWithUnboundSocket) {
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  const char test_table_name[] = "test_table";
+  uint32_t table_flags = NFT_TABLE_F_DORMANT | NFT_TABLE_F_OWNER;
+  uint32_t expected_port_id = 0;
+  uint8_t expected_udata[3] = {0x01, 0x02, 0x03};
+  FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(
+      Socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER));
+  bool correct_response = false;
+
+  std::vector<char> add_request_buffer =
+      NlReq("newtable req ack inet")
+          .Seq(kSeq)
+          .StrAttr(NFTA_TABLE_NAME, test_table_name)
+          .U32Attr(NFTA_TABLE_FLAGS, &table_flags)
+          .RawAttr(NFTA_TABLE_USERDATA, expected_udata, sizeof(expected_udata))
+          .Build();
+
+  std::vector<char> get_request_buffer =
+      NlReq("gettable req inet")
+          .Seq(kSeq + 1)
+          .StrAttr(NFTA_TABLE_NAME, test_table_name)
+          .Build();
+
+  ASSERT_NO_ERRNO(NetlinkRequestAckOrError(fd, kSeq, add_request_buffer.data(),
+                                           add_request_buffer.size()));
+
+  ASSERT_NO_ERRNO(NetlinkRequestResponse(
+      fd, get_request_buffer.data(), get_request_buffer.size(),
+      [&](const struct nlmsghdr* hdr) {
+        const struct nfattr* owner_attr =
+            FindNfAttr(hdr, nullptr, NFTA_TABLE_OWNER);
+        EXPECT_NE(owner_attr, nullptr);
+        uint32_t owner = *(reinterpret_cast<uint32_t*>(NFA_DATA(owner_attr)));
+        EXPECT_NE(owner, 0);
+        expected_port_id = owner;
+        correct_response = true;
+      },
+      false));
+  ASSERT_TRUE(correct_response);
+
+  // Ensure that the port ID assigned to the table is not 0 and matches the
+  // port id retrieved from getsockname() syscall.
+  uint32_t assigned_port_id =
+      ASSERT_NO_ERRNO_AND_VALUE(NetlinkPortID(fd.get()));
+  ASSERT_NE(expected_port_id, 0);
+  ASSERT_NE(assigned_port_id, 0);
+  ASSERT_EQ(expected_port_id, assigned_port_id);
+}
+
 }  // namespace
 
 }  // namespace testing
