net: core: add UID to flows, rules, and routes

- Define a new FIB rule attributes, FRA_UID_RANGE, to describe a range of UIDs. - Define a RTA_UID attribute for per-UID route lookups and dumps. - Support passing these attributes to and from userspace via rtnetlink. The value INVALID_UID indicates no UID was specified. - Add a UID field to the flow structures. Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Lorenzo Colitti <lorenzo@google.com> 2016-11-03 13:23:42 -0400
committer: David S. Miller <davem@davemloft.net> 2016-11-04 14:45:23 -0400
commit: 622ec2c9d52405973c9f1ca5116eb1c393adfc7d (patch)
tree: a3de4c86ceba4dca3217e0207adc76daa9d8eaf9 /net/core/fib_rules.c
parent: 86741ec25462e4c8cdce6df2f41ead05568c7d5e (diff)
1 files changed, 72 insertions, 2 deletions
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index be4629c344a6..5de436a73be2 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -18,6 +18,11 @@
 #include <net/fib_rules.h>
 #include <net/ip_tunnels.h>
+static const struct fib_kuid_range fib_kuid_range_unset = {
+        KUIDT_INIT(0),
+        KUIDT_INIT(~0),
+};
 int fib_default_rule_add(struct fib_rules_ops *ops,
                         u32 pref, u32 table, u32 flags)
 {
@@ -33,6 +38,7 @@ int fib_default_rule_add(struct fib_rules_ops *ops,
        r->table = table;
        r->flags = flags;
        r->fr_net = ops->fro_net;
+        r->uid_range = fib_kuid_range_unset;
        r->suppress_prefixlen = -1;
        r->suppress_ifgroup = -1;
@@ -172,6 +178,34 @@ void fib_rules_unregister(struct fib_rules_ops *ops)
 }
 EXPORT_SYMBOL_GPL(fib_rules_unregister);
+static int uid_range_set(struct fib_kuid_range *range)
+{
+        return uid_valid(range->start) && uid_valid(range->end);
+}
+static struct fib_kuid_range nla_get_kuid_range(struct nlattr **tb)
+{
+        struct fib_rule_uid_range *in;
+        struct fib_kuid_range out;
+        in = (struct fib_rule_uid_range *)nla_data(tb[FRA_UID_RANGE]);
+        out.start = make_kuid(current_user_ns(), in->start);
+        out.end = make_kuid(current_user_ns(), in->end);
+        return out;
+}
+static int nla_put_uid_range(struct sk_buff *skb, struct fib_kuid_range *range)
+{
+        struct fib_rule_uid_range out = {
+                from_kuid_munged(current_user_ns(), range->start),
+                from_kuid_munged(current_user_ns(), range->end)
+        };
+        return nla_put(skb, FRA_UID_RANGE, sizeof(out), &out);
+}
 static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
                          struct flowi *fl, int flags,
                          struct fib_lookup_arg *arg)
@@ -193,6 +227,10 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
        if (rule->l3mdev && !l3mdev_fib_rule_match(rule->fr_net, fl, arg))
                goto out;
+        if (uid_lt(fl->flowi_uid, rule->uid_range.start) ||
+            uid_gt(fl->flowi_uid, rule->uid_range.end))
+                goto out;
        ret = ops->match(rule, fl, flags);
 out:
        return (rule->flags & FIB_RULE_INVERT) ? !ret : ret;
@@ -429,6 +467,21 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh)
        if (rule->l3mdev && rule->table)
                goto errout_free;
+        if (tb[FRA_UID_RANGE]) {
+                if (current_user_ns() != net->user_ns) {
+                        err = -EPERM;
+                        goto errout_free;
+                }
+                rule->uid_range = nla_get_kuid_range(tb);
+                if (!uid_range_set(&rule->uid_range) ||
+                    !uid_lte(rule->uid_range.start, rule->uid_range.end))
+                        goto errout_free;
+        } else {
+                rule->uid_range = fib_kuid_range_unset;
+        }
        if ((nlh->nlmsg_flags & NLM_F_EXCL) &&
            rule_exists(ops, frh, tb, rule)) {
                err = -EEXIST;
@@ -497,6 +550,7 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh)
        struct fib_rules_ops *ops = NULL;
        struct fib_rule *rule, *tmp;
        struct nlattr *tb[FRA_MAX+1];
+        struct fib_kuid_range range;
        int err = -EINVAL;
        if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
@@ -516,6 +570,14 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh)
        if (err < 0)
                goto errout;
+        if (tb[FRA_UID_RANGE]) {
+                range = nla_get_kuid_range(tb);
+                if (!uid_range_set(&range))
+                        goto errout;
+        } else {
+                range = fib_kuid_range_unset;
+        }
        list_for_each_entry(rule, &ops->rules_list, list) {
                if (frh->action && (frh->action != rule->action))
                        continue;
@@ -552,6 +614,11 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh)
                    (rule->l3mdev != nla_get_u8(tb[FRA_L3MDEV])))
                        continue;
+                if (uid_range_set(&range) &&
+                    (!uid_eq(rule->uid_range.start, range.start) ||
+                     !uid_eq(rule->uid_range.end, range.end)))
+                        continue;
                if (!ops->compare(rule, frh, tb))
                        continue;
@@ -619,7 +686,8 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
                         + nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */
                         + nla_total_size(4) /* FRA_FWMARK */
                         + nla_total_size(4) /* FRA_FWMASK */
-                         + nla_total_size_64bit(8); /* FRA_TUN_ID */
+                         + nla_total_size_64bit(8) /* FRA_TUN_ID */
+                         + nla_total_size(sizeof(struct fib_kuid_range));
        if (ops->nlmsg_payload)
                payload += ops->nlmsg_payload(rule);
@@ -679,7 +747,9 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
            (rule->tun_id &&
             nla_put_be64(skb, FRA_TUN_ID, rule->tun_id, FRA_PAD)) ||
            (rule->l3mdev &&
-             nla_put_u8(skb, FRA_L3MDEV, rule->l3mdev)))
+             nla_put_u8(skb, FRA_L3MDEV, rule->l3mdev)) ||
+            (uid_range_set(&rule->uid_range) &&
+             nla_put_uid_range(skb, &rule->uid_range)))
                goto nla_put_failure;
        if (rule->suppress_ifgroup != -1) {
author	Lorenzo Colitti <lorenzo@google.com>	2016-11-03 13:23:42 -0400
committer	David S. Miller <davem@davemloft.net>	2016-11-04 14:45:23 -0400
commit	622ec2c9d52405973c9f1ca5116eb1c393adfc7d (patch)
tree	a3de4c86ceba4dca3217e0207adc76daa9d8eaf9 /net/core/fib_rules.c
parent	86741ec25462e4c8cdce6df2f41ead05568c7d5e (diff)

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index be4629c344a6..5de436a73be2 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c
@@ -18,6 +18,11 @@
18	#include <net/fib_rules.h>	18	#include <net/fib_rules.h>
19	#include <net/ip_tunnels.h>	19	#include <net/ip_tunnels.h>
20		20
		21	static const struct fib_kuid_range fib_kuid_range_unset = {
		22	KUIDT_INIT(0),
		23	KUIDT_INIT(~0),
		24	};
		25
21	int fib_default_rule_add(struct fib_rules_ops *ops,	26	int fib_default_rule_add(struct fib_rules_ops *ops,
22	u32 pref, u32 table, u32 flags)	27	u32 pref, u32 table, u32 flags)
23	{	28	{
@@ -33,6 +38,7 @@ int fib_default_rule_add(struct fib_rules_ops *ops,
33	r->table = table;	38	r->table = table;
34	r->flags = flags;	39	r->flags = flags;
35	r->fr_net = ops->fro_net;	40	r->fr_net = ops->fro_net;
		41	r->uid_range = fib_kuid_range_unset;
36		42
37	r->suppress_prefixlen = -1;	43	r->suppress_prefixlen = -1;
38	r->suppress_ifgroup = -1;	44	r->suppress_ifgroup = -1;
@@ -172,6 +178,34 @@ void fib_rules_unregister(struct fib_rules_ops *ops)
172	}	178	}
173	EXPORT_SYMBOL_GPL(fib_rules_unregister);	179	EXPORT_SYMBOL_GPL(fib_rules_unregister);
174		180
		181	static int uid_range_set(struct fib_kuid_range *range)
		182	{
		183	return uid_valid(range->start) && uid_valid(range->end);
		184	}
		185
		186	static struct fib_kuid_range nla_get_kuid_range(struct nlattr **tb)
		187	{
		188	struct fib_rule_uid_range *in;
		189	struct fib_kuid_range out;
		190
		191	in = (struct fib_rule_uid_range *)nla_data(tb[FRA_UID_RANGE]);
		192
		193	out.start = make_kuid(current_user_ns(), in->start);
		194	out.end = make_kuid(current_user_ns(), in->end);
		195
		196	return out;
		197	}
		198
		199	static int nla_put_uid_range(struct sk_buff skb, struct fib_kuid_range range)
		200	{
		201	struct fib_rule_uid_range out = {
		202	from_kuid_munged(current_user_ns(), range->start),
		203	from_kuid_munged(current_user_ns(), range->end)
		204	};
		205
		206	return nla_put(skb, FRA_UID_RANGE, sizeof(out), &out);
		207	}
		208
175	static int fib_rule_match(struct fib_rule rule, struct fib_rules_ops ops,	209	static int fib_rule_match(struct fib_rule rule, struct fib_rules_ops ops,
176	struct flowi *fl, int flags,	210	struct flowi *fl, int flags,
177	struct fib_lookup_arg *arg)	211	struct fib_lookup_arg *arg)
@@ -193,6 +227,10 @@ static int fib_rule_match(struct fib_rule rule, struct fib_rules_ops ops,
193	if (rule->l3mdev && !l3mdev_fib_rule_match(rule->fr_net, fl, arg))	227	if (rule->l3mdev && !l3mdev_fib_rule_match(rule->fr_net, fl, arg))
194	goto out;	228	goto out;
195		229
		230	if (uid_lt(fl->flowi_uid, rule->uid_range.start) \|\|
		231	uid_gt(fl->flowi_uid, rule->uid_range.end))
		232	goto out;
		233
196	ret = ops->match(rule, fl, flags);	234	ret = ops->match(rule, fl, flags);
197	out:	235	out:
198	return (rule->flags & FIB_RULE_INVERT) ? !ret : ret;	236	return (rule->flags & FIB_RULE_INVERT) ? !ret : ret;
@@ -429,6 +467,21 @@ int fib_nl_newrule(struct sk_buff skb, struct nlmsghdr nlh)
429	if (rule->l3mdev && rule->table)	467	if (rule->l3mdev && rule->table)
430	goto errout_free;	468	goto errout_free;
431		469
		470	if (tb[FRA_UID_RANGE]) {
		471	if (current_user_ns() != net->user_ns) {
		472	err = -EPERM;
		473	goto errout_free;
		474	}
		475
		476	rule->uid_range = nla_get_kuid_range(tb);
		477
		478	if (!uid_range_set(&rule->uid_range) \|\|
		479	!uid_lte(rule->uid_range.start, rule->uid_range.end))
		480	goto errout_free;
		481	} else {
		482	rule->uid_range = fib_kuid_range_unset;
		483	}
		484
432	if ((nlh->nlmsg_flags & NLM_F_EXCL) &&	485	if ((nlh->nlmsg_flags & NLM_F_EXCL) &&
433	rule_exists(ops, frh, tb, rule)) {	486	rule_exists(ops, frh, tb, rule)) {
434	err = -EEXIST;	487	err = -EEXIST;
@@ -497,6 +550,7 @@ int fib_nl_delrule(struct sk_buff skb, struct nlmsghdr nlh)
497	struct fib_rules_ops *ops = NULL;	550	struct fib_rules_ops *ops = NULL;
498	struct fib_rule rule, tmp;	551	struct fib_rule rule, tmp;
499	struct nlattr *tb[FRA_MAX+1];	552	struct nlattr *tb[FRA_MAX+1];
		553	struct fib_kuid_range range;
500	int err = -EINVAL;	554	int err = -EINVAL;
501		555
502	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))	556	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
@@ -516,6 +570,14 @@ int fib_nl_delrule(struct sk_buff skb, struct nlmsghdr nlh)
516	if (err < 0)	570	if (err < 0)
517	goto errout;	571	goto errout;
518		572
		573	if (tb[FRA_UID_RANGE]) {
		574	range = nla_get_kuid_range(tb);
		575	if (!uid_range_set(&range))
		576	goto errout;
		577	} else {
		578	range = fib_kuid_range_unset;
		579	}
		580
519	list_for_each_entry(rule, &ops->rules_list, list) {	581	list_for_each_entry(rule, &ops->rules_list, list) {
520	if (frh->action && (frh->action != rule->action))	582	if (frh->action && (frh->action != rule->action))
521	continue;	583	continue;
@@ -552,6 +614,11 @@ int fib_nl_delrule(struct sk_buff skb, struct nlmsghdr nlh)
552	(rule->l3mdev != nla_get_u8(tb[FRA_L3MDEV])))	614	(rule->l3mdev != nla_get_u8(tb[FRA_L3MDEV])))
553	continue;	615	continue;
554		616
		617	if (uid_range_set(&range) &&
		618	(!uid_eq(rule->uid_range.start, range.start) \|\|
		619	!uid_eq(rule->uid_range.end, range.end)))
		620	continue;
		621
555	if (!ops->compare(rule, frh, tb))	622	if (!ops->compare(rule, frh, tb))
556	continue;	623	continue;
557		624
@@ -619,7 +686,8 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
619	+ nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */	686	+ nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */
620	+ nla_total_size(4) /* FRA_FWMARK */	687	+ nla_total_size(4) /* FRA_FWMARK */
621	+ nla_total_size(4) /* FRA_FWMASK */	688	+ nla_total_size(4) /* FRA_FWMASK */
622	+ nla_total_size_64bit(8); /* FRA_TUN_ID */	689	+ nla_total_size_64bit(8) /* FRA_TUN_ID */
		690	+ nla_total_size(sizeof(struct fib_kuid_range));
623		691
624	if (ops->nlmsg_payload)	692	if (ops->nlmsg_payload)
625	payload += ops->nlmsg_payload(rule);	693	payload += ops->nlmsg_payload(rule);
@@ -679,7 +747,9 @@ static int fib_nl_fill_rule(struct sk_buff skb, struct fib_rule rule,
679	(rule->tun_id &&	747	(rule->tun_id &&
680	nla_put_be64(skb, FRA_TUN_ID, rule->tun_id, FRA_PAD)) \|\|	748	nla_put_be64(skb, FRA_TUN_ID, rule->tun_id, FRA_PAD)) \|\|
681	(rule->l3mdev &&	749	(rule->l3mdev &&
682	nla_put_u8(skb, FRA_L3MDEV, rule->l3mdev)))	750	nla_put_u8(skb, FRA_L3MDEV, rule->l3mdev)) \|\|
		751	(uid_range_set(&rule->uid_range) &&
		752	nla_put_uid_range(skb, &rule->uid_range)))
683	goto nla_put_failure;	753	goto nla_put_failure;
684		754
685	if (rule->suppress_ifgroup != -1) {	755	if (rule->suppress_ifgroup != -1) {