sk-inet: Checkpoint/Restore net.ipv4.ping_group_range

Dump and restore the net.ipv4.ping_group_range variable to allow the
creation of unprivileged ICMP sockets.

Signed-off-by: समीर सिंह Sameer Singh <lumarzeli30@gmail.com>

criu/sk-inet.c

@@ -32,6 +32,7 @@
 #include "rst-malloc.h"
 #include "sockets.h"
 #include "sk-inet.h"
+#include "sysctl.h"
 #include "protobuf.h"
 #include "util.h"
 #include "namespaces.h"
@@ -481,6 +482,23 @@ static int do_dump_one_inet_fd(int lfd, u32 id, const struct fd_parms *p, int fa
 			goto err;
 	}
 
+	if (type == SOCK_DGRAM && (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6)) {
+		char buffer[16];
+
+		struct sysctl_req req[] = {
+			{ "net/ipv4/ping_group_range", &buffer, CTL_STR(16) },
+		};
+
+		ret = sysctl_op(req, ARRAY_SIZE(req), CTL_READ, CLONE_NEWNET);
+		if (ret < 0) {
+			pr_perror("Failed to read ping group range");
+			goto err;
+		}
+
+		buffer[strlen(buffer)] = '\0';
+		ie.ping_grp_range = buffer;
+	}
+
 	sk->cork = false;
 	if (type != SOCK_RAW) {
 		switch (proto) {
@@ -877,6 +895,20 @@ static int open_inet_sk(struct file_desc *d, int *new_fd)
 	if (run_setsockcreatecon(fle->fe))
 		return -1;
 
+	if (ie->type == SOCK_DGRAM && (ie->proto == IPPROTO_ICMP || ie->proto == IPPROTO_ICMPV6)) {
+		if (strlen(ie->ping_grp_range) > 1) {
+			int ret;
+			struct sysctl_req req[] = {
+				{ "net/ipv4/ping_group_range", ie->ping_grp_range, CTL_STR(strlen(ie->ping_grp_range)) },
+			};
+			ret = sysctl_op(req, ARRAY_SIZE(req), CTL_WRITE, CLONE_NEWNET);
+			if (ret < 0) {
+				pr_perror("Failed to set ping_group_range");
+				return -1;
+			}
+		}
+	}
+
 	sk = socket(ie->family, ie->type, ie->proto);
 	if (sk < 0) {
 		pr_perror("Can't create inet socket");

criu/sockets.c

@@ -65,7 +65,7 @@ const char *socket_proto_name(unsigned int proto, char *nm, size_t size)
 		[IPPROTO_IPV6] = __stringify_1(IPPROTO_IPV6), [IPPROTO_RSVP] = __stringify_1(IPPROTO_RSVP),
 		[IPPROTO_GRE] = __stringify_1(IPPROTO_GRE),   [IPPROTO_ESP] = __stringify_1(IPPROTO_ESP),
 		[IPPROTO_AH] = __stringify_1(IPPROTO_AH),     [IPPROTO_UDPLITE] = __stringify_1(IPPROTO_UDPLITE),
-		[IPPROTO_RAW] = __stringify_1(IPPROTO_RAW),
+		[IPPROTO_RAW] = __stringify_1(IPPROTO_RAW),   [IPPROTO_ICMPV6] = __stringify_1(IPPROTO_ICMPV6),
 	};
 	return __socket_const_name(nm, size, protos, ARRAY_SIZE(protos), proto);
 }
@@ -926,7 +926,7 @@ int collect_sockets(struct ns_id *ns)
 	req.r.i.sdiag_protocol = IPPROTO_ICMP;
 	req.r.i.idiag_ext = 0;
 	req.r.i.idiag_states = -1; /* All */
-	set_collect_bit(req.r.n.sdiag_family, req.r.n.sdiag_protocol);
+	set_collect_bit(req.r.i.sdiag_family, req.r.i.sdiag_protocol);
 
 	/* Collect IPv6 TCP sockets */
 	req.r.i.sdiag_family = AF_INET6;
@@ -972,7 +972,7 @@ int collect_sockets(struct ns_id *ns)
 	req.r.i.sdiag_protocol = IPPROTO_ICMPV6;
 	req.r.i.idiag_ext = 0;
 	req.r.i.idiag_states = -1; /* All */
-	set_collect_bit(req.r.n.sdiag_family, req.r.n.sdiag_protocol);
+	set_collect_bit(req.r.i.sdiag_family, req.r.i.sdiag_protocol);
 
 	req.r.p.sdiag_family = AF_PACKET;
 	req.r.p.sdiag_protocol = 0;

images/sk-inet.proto

@@ -58,4 +58,5 @@ message inet_sk_entry {
 	optional uint32			ns_id		= 18;
 	optional sk_shutdown		shutdown	= 19;
 	optional tcp_opts_entry		tcp_opts	= 20;
+        optional string                 ping_grp_range  = 21;
 }