Allow netlink sockets to send to RTMGRP_LINK

sendmsg() to the multicast group now works. connect() is still disallowed.

This patch also reduces the length for which a netlink socket's mu is held.
Previously, once it was taken in Socket.sendMsg(), it was held throughout
Protocol.Receive() -> Socket.ProcessMessages() -> Socket.SendResponse().
When in fact the only field it was needed for was Socket.portID.

PiperOrigin-RevId: 830546353

Author: shailend-g

pkg/abi/linux/netlink.go

@@ -157,3 +157,8 @@ type NetlinkErrorMessage struct {
 	Error  int32
 	Header NetlinkMessageHeader
 }
+
+// RTNetlink multicast groups, from uapi/linux/rtnetlink.h.
+const (
+	RTNLGRP_LINK = 1
+)

pkg/sentry/inet/BUILD

@@ -26,6 +26,13 @@ declare_mutex(
     prefix = "abstractSocketNamespace",
 )
 
+declare_mutex(
+    name = "nlmcast_table_mutex",
+    out = "nlmcast_table_mutex.go",
+    package = "inet",
+    prefix = "nlmcastTable",
+)
+
 go_library(
     name = "inet",
     srcs = [
@@ -35,6 +42,8 @@ go_library(
         "inet.go",
         "namespace.go",
         "namespace_refs.go",
+        "nlmcast.go",
+        "nlmcast_table_mutex.go",
         "test_stack.go",
     ],
     deps = [

pkg/sentry/inet/inet.go

@@ -32,7 +32,7 @@ type Stack interface {
 	Interfaces() map[int32]Interface
 
 	// RemoveInterface removes the specified network interface.
-	RemoveInterface(idx int32) error
+	RemoveInterface(ctx context.Context, idx int32) error
 
 	// InterfaceAddrs returns all network interface addresses as a mapping from
 	// interface indexes to a slice of associated interface address properties.

pkg/sentry/inet/namespace.go

@@ -45,17 +45,24 @@ type Namespace struct {
 
 	// abstractSockets tracks abstract sockets that are in use.
 	abstractSockets AbstractSocketNamespace
+
+	// netlinkMcastTable manages multicast group membership for netlink sockets.
+	netlinkMcastTable *McastTable
 }
 
 // NewRootNamespace creates the root network namespace, with creator
 // allowing new network namespaces to be created. If creator is nil, no
 // networking will function if the network is namespaced.
 func NewRootNamespace(stack Stack, creator NetworkStackCreator, userNS *auth.UserNamespace) *Namespace {
 	n := &Namespace{
-		stack:   stack,
-		creator: creator,
-		isRoot:  true,
-		userNS:  userNS,
+		stack:             stack,
+		creator:           creator,
+		isRoot:            true,
+		userNS:            userNS,
+		netlinkMcastTable: NewNetlinkMcastTable(),
+	}
+	if eventPublishingStack, ok := stack.(InterfaceEventPublisher); ok {
+		eventPublishingStack.AddInterfaceEventSubscriber(n.netlinkMcastTable)
 	}
 	n.abstractSockets.init()
 	return n
@@ -79,8 +86,9 @@ func (n *Namespace) GetInode() *nsfs.Inode {
 // NewNamespace creates a new network namespace from the root.
 func NewNamespace(root *Namespace, userNS *auth.UserNamespace) *Namespace {
 	n := &Namespace{
-		creator: root.creator,
-		userNS:  userNS,
+		creator:           root.creator,
+		userNS:            userNS,
+		netlinkMcastTable: NewNetlinkMcastTable(),
 	}
 	n.init()
 	return n
@@ -148,6 +156,9 @@ func (n *Namespace) init() {
 		if err != nil {
 			panic(err)
 		}
+		if eventPublishingStack, ok := n.stack.(InterfaceEventPublisher); ok {
+			eventPublishingStack.AddInterfaceEventSubscriber(n.netlinkMcastTable)
+		}
 	}
 	n.abstractSockets.init()
 }
@@ -162,6 +173,11 @@ func (n *Namespace) AbstractSockets() *AbstractSocketNamespace {
 	return &n.abstractSockets
 }
 
+// NetlinkMcastTable returns the netlink multicast group table.
+func (n *Namespace) NetlinkMcastTable() *McastTable {
+	return n.netlinkMcastTable
+}
+
 // NetworkStackCreator allows new instances of a network stack to be created. It
 // is used by the kernel to create new network namespaces when requested.
 type NetworkStackCreator interface {

pkg/sentry/inet/nlmcast.go

@@ -0,0 +1,144 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package inet
+
+import (
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/context"
+)
+
+const (
+	routeProtocol       = linux.NETLINK_ROUTE
+	routeLinkMcastGroup = linux.RTNLGRP_LINK
+)
+
+// InterfaceEventSubscriber allows clients to subscribe to events published by an inet.Stack.
+//
+// It is a rough parallel to the objects in Linux that subscribe to netdev
+// events by calling register_netdevice_notifier().
+type InterfaceEventSubscriber interface {
+	// OnInterfaceChangeEvent is called by InterfaceEventPublishers when an interface change event takes place.
+	OnInterfaceChangeEvent(ctx context.Context, idx int32, i Interface)
+
+	// OnInterfaceDeleteEvent is called by InterfaceEventPublishers when an interface delete event takes place.
+	OnInterfaceDeleteEvent(ctx context.Context, idx int32, i Interface)
+}
+
+// InterfaceEventPublisher is the interface event publishing aspect of an inet.Stack.
+//
+// The Linux parallel is how it notifies subscribers via call_netdev_notifiers().
+type InterfaceEventPublisher interface {
+	AddInterfaceEventSubscriber(sub InterfaceEventSubscriber)
+}
+
+// NetlinkSocket corresponds to a netlink socket.
+type NetlinkSocket interface {
+	// Protocol returns the netlink protocol value.
+	Protocol() int
+
+	// Groups returns the bitmap of multicast groups the socket is bound to.
+	Groups() uint64
+
+	// HandleInterfaceChangeEvent is called on NetlinkSockets that are members of the RTNLGRP_LINK
+	// multicast group when an interface is modified.
+	HandleInterfaceChangeEvent(context.Context, int32, Interface)
+
+	// HandleInterfaceDeleteEvent is called on NetlinkSockets that are members of the RTNLGRP_LINK
+	// multicast group when an interface is deleted.
+	HandleInterfaceDeleteEvent(context.Context, int32, Interface)
+}
+
+// McastTable holds multicast group membership information for netlink netlinkSocket.
+// It corresponds roughly to Linux's struct netlink_table.
+//
+// +stateify savable
+type McastTable struct {
+	mu    nlmcastTableMutex `state:"nosave"`
+	socks map[int]map[NetlinkSocket]struct{}
+}
+
+// WithTableLocked runs fn with the table mutex held.
+func (m *McastTable) WithTableLocked(fn func()) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	fn()
+}
+
+// AddSocket adds a netlinkSocket to the multicast-group table.
+//
+// Preconditions: the netlink multicast table is locked.
+func (m *McastTable) AddSocket(s NetlinkSocket) {
+	p := s.Protocol()
+	if _, ok := m.socks[p]; !ok {
+		m.socks[p] = make(map[NetlinkSocket]struct{})
+	}
+	if _, ok := m.socks[p][s]; ok {
+		return
+	}
+	m.socks[p][s] = struct{}{}
+}
+
+// RemoveSocket removes a netlinkSocket from the multicast-group table.
+//
+// Preconditions: the netlink multicast table is locked.
+func (m *McastTable) RemoveSocket(s NetlinkSocket) {
+	p := s.Protocol()
+	if _, ok := m.socks[p]; !ok {
+		return
+	}
+	if _, ok := m.socks[p][s]; !ok {
+		return
+	}
+	delete(m.socks[p], s)
+}
+
+// ForEachMcastSock calls fn on all Netlink sockets that are members of the given multicast group.
+func (m *McastTable) ForEachMcastSock(protocol int, mcastGroup int, fn func(s NetlinkSocket)) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if _, ok := m.socks[protocol]; !ok {
+		return
+	}
+	for s := range m.socks[protocol] {
+		// If the socket is not bound to the multicast group, skip it.
+		if s.Groups()&(1<<(mcastGroup-1)) == 0 {
+			continue
+		}
+		fn(s)
+	}
+}
+
+// OnInterfaceChangeEvent implements InterfaceEventSubscriber.OnInterfaceChangeEvent.
+func (m *McastTable) OnInterfaceChangeEvent(ctx context.Context, idx int32, i Interface) {
+	// Relay the event to RTNLGRP_LINK subscribers.
+	m.ForEachMcastSock(routeProtocol, routeLinkMcastGroup, func(s NetlinkSocket) {
+		s.HandleInterfaceChangeEvent(ctx, idx, i)
+	})
+}
+
+// OnInterfaceDeleteEvent implements InterfaceEventSubscriber.OnInterfaceDeleteEvent.
+func (m *McastTable) OnInterfaceDeleteEvent(ctx context.Context, idx int32, i Interface) {
+	// Relay the event to RTNLGRP_LINK subscribers.
+	m.ForEachMcastSock(routeProtocol, routeLinkMcastGroup, func(s NetlinkSocket) {
+		s.HandleInterfaceDeleteEvent(ctx, idx, i)
+	})
+}
+
+// NewNetlinkMcastTable creates a new McastTable.
+func NewNetlinkMcastTable() *McastTable {
+	return &McastTable{
+		socks: make(map[int]map[NetlinkSocket]struct{}),
+	}
+}

pkg/sentry/inet/test_stack.go

@@ -61,7 +61,7 @@ func (s *TestStack) Destroy() {
 }
 
 // RemoveInterface implements Stack.
-func (s *TestStack) RemoveInterface(idx int32) error {
+func (s *TestStack) RemoveInterface(ctx context.Context, idx int32) error {
 	delete(s.InterfacesMap, idx)
 	return nil
 }

pkg/sentry/socket/hostinet/stack.go

@@ -152,7 +152,7 @@ func (s *Stack) Interfaces() map[int32]inet.Interface {
 }
 
 // RemoveInterface implements inet.Stack.RemoveInterface.
-func (*Stack) RemoveInterface(idx int32) error {
+func (*Stack) RemoveInterface(ctx context.Context, idx int32) error {
 	return removeInterface(idx)
 }
 

pkg/sentry/socket/netlink/BUILD

@@ -15,6 +15,7 @@ go_library(
     deps = [
         "//pkg/abi/linux",
         "//pkg/abi/linux/errno",
+        "//pkg/atomicbitops",
         "//pkg/context",
         "//pkg/errors/linuxerr",
         "//pkg/hostarch",
@@ -27,6 +28,7 @@ go_library(
         "//pkg/sentry/kernel/auth",
         "//pkg/sentry/ktime",
         "//pkg/sentry/socket",
+        "//pkg/sentry/socket/control",
         "//pkg/sentry/socket/netlink/nlmsg",
         "//pkg/sentry/socket/netlink/port",
         "//pkg/sentry/socket/unix",

pkg/sentry/socket/netlink/netfilter/protocol.go

@@ -82,7 +82,7 @@ func (p *Protocol) Receive(ctx context.Context, s *netlink.Socket, buf []byte) *
 	// TODO: b/434785410 - Support batch messages.
 	if hdr.Type == linux.NFNL_MSG_BATCH_BEGIN {
 		ms := nlmsg.NewMessageSet(s.GetPortID(), hdr.Seq)
-		if err := p.receiveBatchMessage(ctx, s, ms, buf); err != nil {
+		if err := p.receiveBatchMessage(ctx, ms, buf); err != nil {
 			log.Debugf("Nftables: Failed to process batch message: %v", err)
 			netlink.DumpErrorMessage(hdr, ms, err.GetError())
 		}
@@ -1215,7 +1215,7 @@ func (p *Protocol) ProcessMessage(ctx context.Context, s *netlink.Socket, msg *n
 }
 
 // receiveBatchMessage processes a NETFILTER batch message.
-func (p *Protocol) receiveBatchMessage(ctx context.Context, s *netlink.Socket, ms *nlmsg.MessageSet, buf []byte) *syserr.AnnotatedError {
+func (p *Protocol) receiveBatchMessage(ctx context.Context, ms *nlmsg.MessageSet, buf []byte) *syserr.AnnotatedError {
 	// Linux ignores messages that are too small.
 	// From net/netfilter/nfnetlink.c:nfnetlink_rcv_skb_batch
 	if len(buf) < linux.NetlinkMessageHeaderSize+linux.SizeOfNetfilterGenMsg {
@@ -1254,7 +1254,7 @@ func (p *Protocol) receiveBatchMessage(ctx context.Context, s *netlink.Socket, m
 	// The resource ID is a 16-bit value that is stored in network byte order.
 	// We ensure that it is in host byte order before passing it for processing.
 	resID := nlmsg.NetToHostU16(nfGenMsg.ResourceID)
-	if err := p.processBatchMessage(ctx, s, buf, ms, hdr, resID); err != nil {
+	if err := p.processBatchMessage(ctx, buf, ms, hdr, resID); err != nil {
 		log.Debugf("Failed to process batch message: %v", err)
 		netlink.DumpErrorMessage(hdr, ms, err.GetError())
 	}
@@ -1263,7 +1263,7 @@ func (p *Protocol) receiveBatchMessage(ctx context.Context, s *netlink.Socket, m
 }
 
 // processBatchMessage processes a batch message.
-func (p *Protocol) processBatchMessage(ctx context.Context, s *netlink.Socket, buf []byte, ms *nlmsg.MessageSet, batchHdr linux.NetlinkMessageHeader, subsysID uint16) *syserr.AnnotatedError {
+func (p *Protocol) processBatchMessage(ctx context.Context, buf []byte, ms *nlmsg.MessageSet, batchHdr linux.NetlinkMessageHeader, subsysID uint16) *syserr.AnnotatedError {
 	if subsysID >= linux.NFNL_SUBSYS_COUNT {
 		return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Unknown subsystem id %d", subsysID))
 	}

pkg/sentry/socket/netlink/provider.go

@@ -20,6 +20,7 @@ import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/sentry/fsimpl/sockfs"
+	"gvisor.dev/gvisor/pkg/sentry/inet"
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
 	"gvisor.dev/gvisor/pkg/sentry/socket"
 	"gvisor.dev/gvisor/pkg/sentry/socket/netlink/nlmsg"
@@ -51,6 +52,18 @@ type Protocol interface {
 	ProcessMessage(ctx context.Context, s *Socket, msg *nlmsg.Message, ms *nlmsg.MessageSet) *syserr.Error
 }
 
+// RouteProtocol corresponds to the NETLINK_ROUTE family.
+type RouteProtocol interface {
+	Protocol
+
+	// AddNewLinkMessage is called when an interface is mutated or created by the stack.
+	// It is the rough equivalent of Linux's rtnetlink_event().
+	AddNewLinkMessage(ms *nlmsg.MessageSet, idx int32, i inet.Interface)
+
+	// AddDelLinkMessage is called when an interface is deleted by the stack.
+	AddDelLinkMessage(ms *nlmsg.MessageSet, idx int32, i inet.Interface)
+}
+
 // Provider is a function that creates a new Protocol for a specific netlink
 // protocol.
 //