Add RTNLGRP_LINK netlink multicast support

Only netstack supports sending link events, multicast group requests
for netlink sockets continue to be denied when hostinet is in use.

PiperOrigin-RevId: 825237541

Author: shailend-g

pkg/abi/linux/netlink.go

@@ -157,3 +157,8 @@ type NetlinkErrorMessage struct {
 	Error  int32
 	Header NetlinkMessageHeader
 }
+
+// RTNetlink multicast groups, from uapi/linux/rtnetlink.h.
+const (
+	RTNLGRP_LINK = 1
+)

pkg/sentry/inet/BUILD

@@ -26,6 +26,13 @@ declare_mutex(
     prefix = "abstractSocketNamespace",
 )
 
+declare_mutex(
+    name = "nlmcast_table_mutex",
+    out = "nlmcast_table_mutex.go",
+    package = "inet",
+    prefix = "nlmcastTable",
+)
+
 go_library(
     name = "inet",
     srcs = [
@@ -35,6 +42,8 @@ go_library(
         "inet.go",
         "namespace.go",
         "namespace_refs.go",
+        "nlmcast.go",
+        "nlmcast_table_mutex.go",
         "test_stack.go",
     ],
     deps = [

pkg/sentry/inet/inet.go

@@ -32,7 +32,7 @@ type Stack interface {
 	Interfaces() map[int32]Interface
 
 	// RemoveInterface removes the specified network interface.
-	RemoveInterface(idx int32) error
+	RemoveInterface(ctx context.Context, idx int32) error
 
 	// InterfaceAddrs returns all network interface addresses as a mapping from
 	// interface indexes to a slice of associated interface address properties.

pkg/sentry/inet/namespace.go

@@ -45,17 +45,24 @@ type Namespace struct {
 
 	// abstractSockets tracks abstract sockets that are in use.
 	abstractSockets AbstractSocketNamespace
+
+	// netlinkMcastTable manages multicast group membership for netlink sockets.
+	netlinkMcastTable *McastTable
 }
 
 // NewRootNamespace creates the root network namespace, with creator
 // allowing new network namespaces to be created. If creator is nil, no
 // networking will function if the network is namespaced.
 func NewRootNamespace(stack Stack, creator NetworkStackCreator, userNS *auth.UserNamespace) *Namespace {
 	n := &Namespace{
-		stack:   stack,
-		creator: creator,
-		isRoot:  true,
-		userNS:  userNS,
+		stack:             stack,
+		creator:           creator,
+		isRoot:            true,
+		userNS:            userNS,
+		netlinkMcastTable: NewNetlinkMcastTable(),
+	}
+	if eventPublishingStack, ok := stack.(InterfaceEventPublisher); ok {
+		eventPublishingStack.AddInterfaceEventSubscriber(n.netlinkMcastTable)
 	}
 	n.abstractSockets.init()
 	return n
@@ -79,8 +86,9 @@ func (n *Namespace) GetInode() *nsfs.Inode {
 // NewNamespace creates a new network namespace from the root.
 func NewNamespace(root *Namespace, userNS *auth.UserNamespace) *Namespace {
 	n := &Namespace{
-		creator: root.creator,
-		userNS:  userNS,
+		creator:           root.creator,
+		userNS:            userNS,
+		netlinkMcastTable: NewNetlinkMcastTable(),
 	}
 	n.init()
 	return n
@@ -148,6 +156,9 @@ func (n *Namespace) init() {
 		if err != nil {
 			panic(err)
 		}
+		if eventPublishingStack, ok := n.stack.(InterfaceEventPublisher); ok {
+			eventPublishingStack.AddInterfaceEventSubscriber(n.netlinkMcastTable)
+		}
 	}
 	n.abstractSockets.init()
 }
@@ -162,6 +173,11 @@ func (n *Namespace) AbstractSockets() *AbstractSocketNamespace {
 	return &n.abstractSockets
 }
 
+// NetlinkMcastTable returns the netlink multicast group table.
+func (n *Namespace) NetlinkMcastTable() *McastTable {
+	return n.netlinkMcastTable
+}
+
 // NetworkStackCreator allows new instances of a network stack to be created. It
 // is used by the kernel to create new network namespaces when requested.
 type NetworkStackCreator interface {

pkg/sentry/inet/nlmcast.go

@@ -0,0 +1,142 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package inet
+
+import (
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/context"
+)
+
+const (
+	routeProtocol       = linux.NETLINK_ROUTE
+	routeLinkMcastGroup = linux.RTNLGRP_LINK
+)
+
+// InterfaceEventSubscriber allows clients to subscribe to events published by an inet.Stack.
+//
+// It is a rough parallel to the objects in Linux that subscribe to netdev
+// events by calling register_netdevice_notifier().
+type InterfaceEventSubscriber interface {
+	// OnInterfaceChangeEvent is called by InterfaceEventPublishers when an interface event takes place.
+	OnInterfaceChangeEvent(ctx context.Context, idx int32, i Interface)
+
+	// OnInterfaceDeleteEvent is called by InterfaceEventPublishers when an interface event takes place.
+	OnInterfaceDeleteEvent(ctx context.Context, idx int32, i Interface)
+}
+
+// InterfaceEventPublisher is the interface event publishing aspect of an inet.Stack.
+//
+// The Linux parallel is how it notifies subscribers via call_netdev_notifiers().
+type InterfaceEventPublisher interface {
+	AddInterfaceEventSubscriber(sub InterfaceEventSubscriber)
+}
+
+// NetlinkSocket corresponds to a netlink socket.
+type NetlinkSocket interface {
+	// Protocol returns the netlink protocol value.
+	Protocol() int
+
+	// Groups returns the bitmap of multicast groups the socket is bound to.
+	Groups() uint64
+
+	// HandleInterfaceChangeEvent is called on NetlinkSockets that are members of the RTNLGRP_LINK
+	// multicast group when an interface is modified.
+	HandleInterfaceChangeEvent(context.Context, int32, Interface)
+
+	// HandleInterfaceDeleteEvent is called on NetlinkSockets that are members of the RTNLGRP_LINK
+	// multicast group when an interface is deleted.
+	HandleInterfaceDeleteEvent(context.Context, int32, Interface)
+}
+
+// McastTable holds multicast group membership information for netlink netlinkSocket.
+// It corresponds roughly to Linux's struct netlink_table.
+//
+// +stateify savable
+type McastTable struct {
+	mu    nlmcastTableMutex `state:"nosave"`
+	socks map[int]map[NetlinkSocket]struct{}
+}
+
+// WithTableLocked runs fn with the table mutex held.
+func (m *McastTable) WithTableLocked(fn func()) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	fn()
+}
+
+// AddSocket adds a netlinkSocket to the multicast-group table.
+//
+// Preconditions: the netlink multicast table is locked.
+func (m *McastTable) AddSocket(s NetlinkSocket) {
+	p := s.Protocol()
+	if _, ok := m.socks[p]; !ok {
+		m.socks[p] = make(map[NetlinkSocket]struct{})
+	}
+	if _, ok := m.socks[p][s]; ok {
+		return
+	}
+	m.socks[p][s] = struct{}{}
+}
+
+// RemoveSocket removes a netlinkSocket from the multicast-group table.
+//
+// Preconditions: the netlink multicast table is locked.
+func (m *McastTable) RemoveSocket(s NetlinkSocket) {
+	p := s.Protocol()
+	if _, ok := m.socks[p]; !ok {
+		return
+	}
+	if _, ok := m.socks[p][s]; !ok {
+		return
+	}
+	delete(m.socks[p], s)
+}
+
+func (m *McastTable) forEachMcastSock(protocol int, mcastGroup int, fn func(s NetlinkSocket)) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if _, ok := m.socks[protocol]; !ok {
+		return
+	}
+	for s := range m.socks[protocol] {
+		if s.Groups()&(1<<(mcastGroup-1)) == 0 {
+			return
+		}
+		fn(s)
+	}
+}
+
+// OnInterfaceChangeEvent implements InterfaceEventSubscriber.OnInterfaceChangeEvent.
+func (m *McastTable) OnInterfaceChangeEvent(ctx context.Context, idx int32, i Interface) {
+	// Relay the event to RTNLGRP_LINK subscribers.
+	m.forEachMcastSock(routeProtocol, routeLinkMcastGroup, func(s NetlinkSocket) {
+		s.HandleInterfaceChangeEvent(ctx, idx, i)
+	})
+}
+
+// OnInterfaceDeleteEvent implements InterfaceEventSubscriber.OnInterfaceDeleteEvent.
+func (m *McastTable) OnInterfaceDeleteEvent(ctx context.Context, idx int32, i Interface) {
+	// Relay the event to RTNLGRP_LINK subscribers.
+	m.forEachMcastSock(routeProtocol, routeLinkMcastGroup, func(s NetlinkSocket) {
+		s.HandleInterfaceDeleteEvent(ctx, idx, i)
+	})
+}
+
+// NewNetlinkMcastTable creates a new McastTable.
+func NewNetlinkMcastTable() *McastTable {
+	return &McastTable{
+		socks: make(map[int]map[NetlinkSocket]struct{}),
+	}
+}

pkg/sentry/inet/test_stack.go

@@ -61,7 +61,7 @@ func (s *TestStack) Destroy() {
 }
 
 // RemoveInterface implements Stack.
-func (s *TestStack) RemoveInterface(idx int32) error {
+func (s *TestStack) RemoveInterface(ctx context.Context, idx int32) error {
 	delete(s.InterfacesMap, idx)
 	return nil
 }

pkg/sentry/socket/hostinet/stack.go

@@ -152,7 +152,7 @@ func (s *Stack) Interfaces() map[int32]inet.Interface {
 }
 
 // RemoveInterface implements inet.Stack.RemoveInterface.
-func (*Stack) RemoveInterface(idx int32) error {
+func (*Stack) RemoveInterface(ctx context.Context, idx int32) error {
 	return removeInterface(idx)
 }
 

pkg/sentry/socket/netlink/BUILD

@@ -15,6 +15,7 @@ go_library(
     deps = [
         "//pkg/abi/linux",
         "//pkg/abi/linux/errno",
+        "//pkg/atomicbitops",
         "//pkg/context",
         "//pkg/errors/linuxerr",
         "//pkg/hostarch",

pkg/sentry/socket/netlink/provider.go

@@ -20,6 +20,7 @@ import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/context"
 	"gvisor.dev/gvisor/pkg/sentry/fsimpl/sockfs"
+	"gvisor.dev/gvisor/pkg/sentry/inet"
 	"gvisor.dev/gvisor/pkg/sentry/kernel"
 	"gvisor.dev/gvisor/pkg/sentry/socket"
 	"gvisor.dev/gvisor/pkg/sentry/socket/netlink/nlmsg"
@@ -51,6 +52,18 @@ type Protocol interface {
 	ProcessMessage(ctx context.Context, s *Socket, msg *nlmsg.Message, ms *nlmsg.MessageSet) *syserr.Error
 }
 
+// RouteProtocol corresponds to the NETLINK_ROUTE family.
+type RouteProtocol interface {
+	Protocol
+
+	// AddNewLinkMessage is called when an interface is mutated or created by the stack.
+	// It is the rough equivalent of Linux's rtnetlink_event().
+	AddNewLinkMessage(ms *nlmsg.MessageSet, idx int32, i inet.Interface)
+
+	// AddDelLinkMessage is called when an interface is deleted by the stack.
+	AddDelLinkMessage(ms *nlmsg.MessageSet, idx int32, i inet.Interface)
+}
+
 // Provider is a function that creates a new Protocol for a specific netlink
 // protocol.
 //

pkg/sentry/socket/netlink/route/protocol.go

@@ -101,7 +101,7 @@ func (p *Protocol) dumpLinks(ctx context.Context, s *netlink.Socket, msg *nlmsg.
 	}
 
 	for idx, i := range stack.Interfaces() {
-		addNewLinkMessage(ms, idx, i)
+		p.AddNewLinkMessage(ms, idx, i)
 	}
 
 	return nil
@@ -158,7 +158,7 @@ func (p *Protocol) getLink(ctx context.Context, s *netlink.Socket, msg *nlmsg.Me
 			return syserr.ErrInvalidArgument
 		}
 
-		addNewLinkMessage(ms, idx, i)
+		p.AddNewLinkMessage(ms, idx, i)
 		found = true
 		break
 	}
@@ -232,16 +232,10 @@ func (p *Protocol) delLink(ctx context.Context, s *netlink.Socket, msg *nlmsg.Me
 			return syserr.ErrNoDevice
 		}
 	}
-	return syserr.FromError(stack.RemoveInterface(ifinfomsg.Index))
+	return syserr.FromError(stack.RemoveInterface(ctx, ifinfomsg.Index))
 }
 
-// addNewLinkMessage appends RTM_NEWLINK message for the given interface into
-// the message set.
-func addNewLinkMessage(ms *nlmsg.MessageSet, idx int32, i inet.Interface) {
-	m := ms.AddMessage(linux.NetlinkMessageHeader{
-		Type: linux.RTM_NEWLINK,
-	})
-
+func writeLinkInfo(m *nlmsg.Message, idx int32, i inet.Interface) {
 	m.Put(&linux.InterfaceInfoMessage{
 		Family: linux.AF_UNSPEC,
 		Type:   i.DeviceType,
@@ -264,6 +258,26 @@ func addNewLinkMessage(ms *nlmsg.MessageSet, idx int32, i inet.Interface) {
 	// TODO(gvisor.dev/issue/578): There are many more attributes.
 }
 
+// AddNewLinkMessage appends an RTM_NEWLINK message for the given interface into
+// the message set.
+// AddNewLinkMessage implements netlink.RouteProtocol.AddNewLinkMessage.
+func (p *Protocol) AddNewLinkMessage(ms *nlmsg.MessageSet, idx int32, i inet.Interface) {
+	m := ms.AddMessage(linux.NetlinkMessageHeader{
+		Type: linux.RTM_NEWLINK,
+	})
+	writeLinkInfo(m, idx, i)
+}
+
+// AddDelLinkMessage appends an RTM_DELLINK message for the given interface into
+// the message set.
+// AddDelLinkMessage implements netlink.RouteProtocol.AddDelLinkMessage.
+func (p *Protocol) AddDelLinkMessage(ms *nlmsg.MessageSet, idx int32, i inet.Interface) {
+	m := ms.AddMessage(linux.NetlinkMessageHeader{
+		Type: linux.RTM_DELLINK,
+	})
+	writeLinkInfo(m, idx, i)
+}
+
 // dumpAddrs handles RTM_GETADDR dump requests.
 func (p *Protocol) dumpAddrs(ctx context.Context, s *netlink.Socket, msg *nlmsg.Message, ms *nlmsg.MessageSet) *syserr.Error {
 	// RTM_GETADDR dump requests need not contain anything more than the