userns: xt_owner: Add basic user namespace support.

- Only allow adding matches from the initial user namespace - Add the appropriate conversion functions to handle matches against sockets in other user namespaces. Cc: Jan Engelhardt <jengelh@medozas.de> Cc: Patrick McHardy <kaber@trash.net> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: David S. Miller <davem@davemloft.net> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

userns: xt_owner: Add basic user namespace support.
- Only allow adding matches from the initial user namespace - Add the appropriate conversion functions to handle matches against sockets in other user namespaces. Cc: Jan Engelhardt <jengelh@medozas.de> Cc: Patrick McHardy <kaber@trash.net> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: David S. Miller <davem@davemloft.net> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Eric W. Biederman
1 parent da7428080a
Showing 2 changed files with 24 additions and 7 deletions Side-by-side Diff
init/Kconfig
net/netfilter/xt_owner.c
@@ -943,7 +943,6 @@
  
 	# Networking
 	depends on NET_9P = n
-	depends on NETFILTER_XT_MATCH_OWNER = n
 	depends on AF_RXRPC = n
 	depends on NET_KEY = n
 	depends on DNS_RESOLVER = n
@@ -17,6 +17,17 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_owner.h>
  
+static int owner_check(const struct xt_mtchk_param *par)
+{
+	struct xt_owner_match_info *info = par->matchinfo;
+
+	/* For now only allow adding matches from the initial user namespace */
+	if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
+	    (current_user_ns() != &init_user_ns))
+		return -EINVAL;
+	return 0;
+}
+
 static bool
 owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
  
  
  
@@ -37,17 +48,23 @@
 		return ((info->match ^ info->invert) &
 		       (XT_OWNER_UID | XT_OWNER_GID)) == 0;
  
-	if (info->match & XT_OWNER_UID)
-		if ((filp->f_cred->fsuid >= info->uid_min &&
-		    filp->f_cred->fsuid <= info->uid_max) ^
+	if (info->match & XT_OWNER_UID) {
+		kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
+		kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
+		if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
+		     uid_lte(filp->f_cred->fsuid, uid_max)) ^
 		    !(info->invert & XT_OWNER_UID))
 			return false;
+	}
  
-	if (info->match & XT_OWNER_GID)
-		if ((filp->f_cred->fsgid >= info->gid_min &&
-		    filp->f_cred->fsgid <= info->gid_max) ^
+	if (info->match & XT_OWNER_GID) {
+		kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
+		kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
+		if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
+		     gid_lte(filp->f_cred->fsgid, gid_max)) ^
 		    !(info->invert & XT_OWNER_GID))
 			return false;
+	}
  
 	return true;
 }
@@ -56,6 +73,7 @@
 	.name       = "owner",
 	.revision   = 1,
 	.family     = NFPROTO_UNSPEC,
+	.checkentry = owner_check,
 	.match      = owner_mt,
 	.matchsize  = sizeof(struct xt_owner_match_info),
 	.hooks      = (1 << NF_INET_LOCAL_OUT) |
...	...	@@ -943,7 +943,6 @@
943	943
944	944	# Networking
945	945	depends on NET_9P = n
946		- depends on NETFILTER_XT_MATCH_OWNER = n
947	946	depends on AF_RXRPC = n
948	947	depends on NET_KEY = n
949	948	depends on DNS_RESOLVER = n
...	...	@@ -17,6 +17,17 @@
17	17	#include <linux/netfilter/x_tables.h>
18	18	#include <linux/netfilter/xt_owner.h>
19	19
	20	+static int owner_check(const struct xt_mtchk_param *par)
	21	+{
	22	+ struct xt_owner_match_info *info = par->matchinfo;
	23	+
	24	+ /* For now only allow adding matches from the initial user namespace */
	25	+ if ((info->match & (XT_OWNER_UID\|XT_OWNER_GID)) &&
	26	+ (current_user_ns() != &init_user_ns))
	27	+ return -EINVAL;
	28	+ return 0;
	29	+}
	30	+
20	31	static bool
21	32	owner_mt(const struct sk_buff skb, struct xt_action_param par)
22	33	{
23	34
24	35
25	36
...	...	@@ -37,17 +48,23 @@
37	48	return ((info->match ^ info->invert) &
38	49	(XT_OWNER_UID \| XT_OWNER_GID)) == 0;
39	50
40		- if (info->match & XT_OWNER_UID)
41		- if ((filp->f_cred->fsuid >= info->uid_min &&
42		- filp->f_cred->fsuid <= info->uid_max) ^
	51	+ if (info->match & XT_OWNER_UID) {
	52	+ kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
	53	+ kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
	54	+ if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
	55	+ uid_lte(filp->f_cred->fsuid, uid_max)) ^
43	56	!(info->invert & XT_OWNER_UID))
44	57	return false;
	58	+ }
45	59
46		- if (info->match & XT_OWNER_GID)
47		- if ((filp->f_cred->fsgid >= info->gid_min &&
48		- filp->f_cred->fsgid <= info->gid_max) ^
	60	+ if (info->match & XT_OWNER_GID) {
	61	+ kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
	62	+ kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
	63	+ if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
	64	+ gid_lte(filp->f_cred->fsgid, gid_max)) ^
49	65	!(info->invert & XT_OWNER_GID))
50	66	return false;
	67	+ }
51	68
52	69	return true;
53	70	}
...	...	@@ -56,6 +73,7 @@
56	73	.name = "owner",
57	74	.revision = 1,
58	75	.family = NFPROTO_UNSPEC,
	76	+ .checkentry = owner_check,
59	77	.match = owner_mt,
60	78	.matchsize = sizeof(struct xt_owner_match_info),
61	79	.hooks = (1 << NF_INET_LOCAL_OUT) \|