mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-13 22:25:03 +00:00
9847371a84
Making this work is a little tricky as it really isn't kosher to change the xt_owner_match_info in a check function. Without changing xt_owner_match_info we need to know the user namespace the uids and gids are specified in. In the common case net->user_ns == current_user_ns(). Verify net->user_ns == current_user_ns() in owner_check so we can later assume it in owner_mt. In owner_check also verify that all of the uids and gids specified are in net->user_ns and that the expected min/max relationship exists between the uids and gids in xt_owner_match_info. In owner_mt get the network namespace from the outgoing socket, as this must be the same network namespace as the netfilter rules, and use that network namespace to find the user namespace the uids and gids in xt_match_owner_info are encoded in. Then convert from their encoded from into the kernel internal format for uids and gids and perform the owner match. Similar to ping_group_range, this code does not try to detect noncontiguous UID/GID ranges. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
131 lines
3.6 KiB
C
131 lines
3.6 KiB
C
/*
|
|
* Kernel module to match various things tied to sockets associated with
|
|
* locally generated outgoing packets.
|
|
*
|
|
* (C) 2000 Marc Boucher <marc@mbsi.ca>
|
|
*
|
|
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*/
|
|
#include <linux/module.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/file.h>
|
|
#include <net/sock.h>
|
|
#include <net/inet_sock.h>
|
|
#include <linux/netfilter/x_tables.h>
|
|
#include <linux/netfilter/xt_owner.h>
|
|
|
|
static int owner_check(const struct xt_mtchk_param *par)
|
|
{
|
|
struct xt_owner_match_info *info = par->matchinfo;
|
|
struct net *net = par->net;
|
|
|
|
/* Only allow the common case where the userns of the writer
|
|
* matches the userns of the network namespace.
|
|
*/
|
|
if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
|
|
(current_user_ns() != net->user_ns))
|
|
return -EINVAL;
|
|
|
|
/* Ensure the uids are valid */
|
|
if (info->match & XT_OWNER_UID) {
|
|
kuid_t uid_min = make_kuid(net->user_ns, info->uid_min);
|
|
kuid_t uid_max = make_kuid(net->user_ns, info->uid_max);
|
|
|
|
if (!uid_valid(uid_min) || !uid_valid(uid_max) ||
|
|
(info->uid_max < info->uid_min) ||
|
|
uid_lt(uid_max, uid_min)) {
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
/* Ensure the gids are valid */
|
|
if (info->match & XT_OWNER_GID) {
|
|
kgid_t gid_min = make_kgid(net->user_ns, info->gid_min);
|
|
kgid_t gid_max = make_kgid(net->user_ns, info->gid_max);
|
|
|
|
if (!gid_valid(gid_min) || !gid_valid(gid_max) ||
|
|
(info->gid_max < info->gid_min) ||
|
|
gid_lt(gid_max, gid_min)) {
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static bool
|
|
owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
|
{
|
|
const struct xt_owner_match_info *info = par->matchinfo;
|
|
const struct file *filp;
|
|
struct sock *sk = skb_to_full_sk(skb);
|
|
struct net *net = par->net;
|
|
|
|
if (sk == NULL || sk->sk_socket == NULL)
|
|
return (info->match ^ info->invert) == 0;
|
|
else if (info->match & info->invert & XT_OWNER_SOCKET)
|
|
/*
|
|
* Socket exists but user wanted ! --socket-exists.
|
|
* (Single ampersands intended.)
|
|
*/
|
|
return false;
|
|
|
|
filp = sk->sk_socket->file;
|
|
if (filp == NULL)
|
|
return ((info->match ^ info->invert) &
|
|
(XT_OWNER_UID | XT_OWNER_GID)) == 0;
|
|
|
|
if (info->match & XT_OWNER_UID) {
|
|
kuid_t uid_min = make_kuid(net->user_ns, info->uid_min);
|
|
kuid_t uid_max = make_kuid(net->user_ns, info->uid_max);
|
|
if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
|
|
uid_lte(filp->f_cred->fsuid, uid_max)) ^
|
|
!(info->invert & XT_OWNER_UID))
|
|
return false;
|
|
}
|
|
|
|
if (info->match & XT_OWNER_GID) {
|
|
kgid_t gid_min = make_kgid(net->user_ns, info->gid_min);
|
|
kgid_t gid_max = make_kgid(net->user_ns, info->gid_max);
|
|
if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
|
|
gid_lte(filp->f_cred->fsgid, gid_max)) ^
|
|
!(info->invert & XT_OWNER_GID))
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static struct xt_match owner_mt_reg __read_mostly = {
|
|
.name = "owner",
|
|
.revision = 1,
|
|
.family = NFPROTO_UNSPEC,
|
|
.checkentry = owner_check,
|
|
.match = owner_mt,
|
|
.matchsize = sizeof(struct xt_owner_match_info),
|
|
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
|
(1 << NF_INET_POST_ROUTING),
|
|
.me = THIS_MODULE,
|
|
};
|
|
|
|
static int __init owner_mt_init(void)
|
|
{
|
|
return xt_register_match(&owner_mt_reg);
|
|
}
|
|
|
|
static void __exit owner_mt_exit(void)
|
|
{
|
|
xt_unregister_match(&owner_mt_reg);
|
|
}
|
|
|
|
module_init(owner_mt_init);
|
|
module_exit(owner_mt_exit);
|
|
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
|
|
MODULE_DESCRIPTION("Xtables: socket owner matching");
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_ALIAS("ipt_owner");
|
|
MODULE_ALIAS("ip6t_owner");
|