Deny SOL_IP socket options for raw AF_INET6 sockets

PiperOrigin-RevId: 813907049

Author: shailend-g

pkg/sentry/socket/netstack/netstack.go

@@ -1645,6 +1645,11 @@ func getSockOptIP(t *kernel.Task, s socket.Socket, ep commonEndpoint, name int,
 		log.Warningf("SOL_IP options not supported on endpoints other than tcpip.Endpoint: option = %d, endpoint = %T", name, ep)
 		return nil, syserr.ErrUnknownProtocolOption
 	}
+	// Rejection of SOL_IP options for AF_INET6 RAW sockets matches Linux behavior:
+	// https://github.com/torvalds/linux/blob/cec1e6e5d1a/net/ipv6/ipv6_sockglue.c#L1453
+	if family, skType, _ := s.Type(); family == linux.AF_INET6 && skType == linux.SOCK_RAW {
+		return nil, syserr.ErrUnknownProtocolOption
+	}
 
 	switch name {
 	case linux.IP_TTL:
@@ -2717,6 +2722,11 @@ func setSockOptIP(t *kernel.Task, s socket.Socket, ep commonEndpoint, name int,
 		log.Warningf("SOL_IP options not supported on endpoints other than tcpip.Endpoint: option = %d, endpoint = %T", name, ep)
 		return syserr.ErrUnknownProtocolOption
 	}
+	// Rejection of SOL_IP options for AF_INET6 RAW sockets matches Linux behavior:
+	// https://github.com/torvalds/linux/blob/cec1e6e5d1a/net/ipv6/ipv6_sockglue.c#L963
+	if family, skType, _ := s.Type(); family == linux.AF_INET6 && skType == linux.SOCK_RAW {
+		return syserr.ErrUnknownProtocolOption
+	}
 
 	switch name {
 	case linux.IP_MULTICAST_TTL:

test/syscalls/linux/BUILD

@@ -2140,6 +2140,7 @@ cc_binary(
         ":unix_domain_socket_test_util",
         "//test/util:capability_util",
         "//test/util:file_descriptor",
+        "//test/util:posix_error",
         "//test/util:socket_util",
         "//test/util:test_main",
         "//test/util:test_util",

test/syscalls/linux/raw_socket.cc

@@ -23,12 +23,15 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <cerrno>
+
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "test/syscalls/linux/ip_socket_test_util.h"
 #include "test/syscalls/linux/unix_domain_socket_test_util.h"
 #include "test/util/capability_util.h"
 #include "test/util/file_descriptor.h"
+#include "test/util/posix_error.h"
 #include "test/util/socket_util.h"
 #include "test/util/test_util.h"
 
@@ -1586,6 +1589,39 @@ TEST(RawSocketTest, IPv6Checksum_ValidateAndCalculate) {
   ASSERT_NO_FATAL_FAILURE(expect_receive(checksum_not_set, counter, true));
 }
 
+// SOL_IP options on a raw AF_INET6 socket are denied.
+TEST(RawSocketTest, SolIPSetSockOptOnRawV6SocketFails) {
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveRawIPSocketCapability()));
+  FileDescriptor raw =
+      ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_INET6, SOCK_RAW, IPPROTO_UDP));
+
+  const ip_mreqn group = {
+      .imr_multiaddr =
+          {
+              .s_addr = inet_addr(kMulticastAddress),
+          },
+      .imr_ifindex = ASSERT_NO_ERRNO_AND_VALUE(InterfaceIndex("lo")),
+  };
+  EXPECT_THAT(
+      setsockopt(raw.get(), SOL_IP, IP_ADD_MEMBERSHIP, &group, sizeof(group)),
+      SyscallFailsWithErrno(ENOPROTOOPT));
+
+  // Try with another SOL_IP option.
+  const ip_mreqn iface = {
+      .imr_multiaddr = {},
+      .imr_ifindex = ASSERT_NO_ERRNO_AND_VALUE(InterfaceIndex("lo")),
+  };
+  EXPECT_THAT(
+      setsockopt(raw.get(), SOL_IP, IP_MULTICAST_IF, &iface, sizeof(iface)),
+      SyscallFailsWithErrno(ENOPROTOOPT));
+
+  // getsockopt is also denied.
+  int on;
+  socklen_t slen = sizeof(on);
+  EXPECT_THAT(getsockopt(raw.get(), SOL_IP, IP_HDRINCL, &on, &slen),
+              SyscallFailsWithErrno(ENOPROTOOPT));
+}
+
 }  // namespace
 
 }  // namespace testing