diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2016-11-03 13:23:43 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-11-04 14:45:23 -0400 |
| commit | e2d118a1cb5e60d077131a09db1d81b90a5295fe (patch) | |
| tree | f109076016c45e08e34de647441fff19b4ecc2b6 /net/ipv4/tcp_ipv4.c | |
| parent | 622ec2c9d52405973c9f1ca5116eb1c393adfc7d (diff) | |
net: inet: Support UID-based routing in IP protocols.
- Use the UID in routing lookups made by protocol connect() and
sendmsg() functions.
- Make sure that routing lookups triggered by incoming packets
(e.g., Path MTU discovery) take the UID of the socket into
account.
- For packets not associated with a userspace socket, (e.g., ping
replies) use UID 0 inside the user namespace corresponding to
the network namespace the socket belongs to. This allows
all namespaces to apply routing and iptables rules to
kernel-originated traffic in that namespaces by matching UID 0.
This is better than using the UID of the kernel socket that is
sending the traffic, because the UID of kernel sockets created
at namespace creation time (e.g., the per-processor ICMP and
TCP sockets) is the UID of the user that created the socket,
which might not be mapped in the namespace.
Tested: compiles allnoconfig, allyesconfig, allmodconfig
Tested: https://android-review.googlesource.com/253302
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_ipv4.c')
| -rw-r--r-- | net/ipv4/tcp_ipv4.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index b9b8282633d4..6491b7c1f975 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c | |||
| @@ -691,6 +691,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) | |||
| 691 | offsetof(struct inet_timewait_sock, tw_bound_dev_if)); | 691 | offsetof(struct inet_timewait_sock, tw_bound_dev_if)); |
| 692 | 692 | ||
| 693 | arg.tos = ip_hdr(skb)->tos; | 693 | arg.tos = ip_hdr(skb)->tos; |
| 694 | arg.uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL); | ||
| 694 | local_bh_disable(); | 695 | local_bh_disable(); |
| 695 | ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), | 696 | ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), |
| 696 | skb, &TCP_SKB_CB(skb)->header.h4.opt, | 697 | skb, &TCP_SKB_CB(skb)->header.h4.opt, |
| @@ -711,7 +712,7 @@ out: | |||
| 711 | outside socket context is ugly, certainly. What can I do? | 712 | outside socket context is ugly, certainly. What can I do? |
| 712 | */ | 713 | */ |
| 713 | 714 | ||
| 714 | static void tcp_v4_send_ack(struct net *net, | 715 | static void tcp_v4_send_ack(const struct sock *sk, |
| 715 | struct sk_buff *skb, u32 seq, u32 ack, | 716 | struct sk_buff *skb, u32 seq, u32 ack, |
| 716 | u32 win, u32 tsval, u32 tsecr, int oif, | 717 | u32 win, u32 tsval, u32 tsecr, int oif, |
| 717 | struct tcp_md5sig_key *key, | 718 | struct tcp_md5sig_key *key, |
| @@ -726,6 +727,7 @@ static void tcp_v4_send_ack(struct net *net, | |||
| 726 | #endif | 727 | #endif |
| 727 | ]; | 728 | ]; |
| 728 | } rep; | 729 | } rep; |
| 730 | struct net *net = sock_net(sk); | ||
| 729 | struct ip_reply_arg arg; | 731 | struct ip_reply_arg arg; |
| 730 | 732 | ||
| 731 | memset(&rep.th, 0, sizeof(struct tcphdr)); | 733 | memset(&rep.th, 0, sizeof(struct tcphdr)); |
| @@ -775,6 +777,7 @@ static void tcp_v4_send_ack(struct net *net, | |||
| 775 | if (oif) | 777 | if (oif) |
| 776 | arg.bound_dev_if = oif; | 778 | arg.bound_dev_if = oif; |
| 777 | arg.tos = tos; | 779 | arg.tos = tos; |
| 780 | arg.uid = sock_net_uid(net, sk_fullsock(sk) ? sk : NULL); | ||
| 778 | local_bh_disable(); | 781 | local_bh_disable(); |
| 779 | ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), | 782 | ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), |
| 780 | skb, &TCP_SKB_CB(skb)->header.h4.opt, | 783 | skb, &TCP_SKB_CB(skb)->header.h4.opt, |
| @@ -790,7 +793,7 @@ static void tcp_v4_timewait_ack(struct sock *sk, struct sk_buff *skb) | |||
| 790 | struct inet_timewait_sock *tw = inet_twsk(sk); | 793 | struct inet_timewait_sock *tw = inet_twsk(sk); |
| 791 | struct tcp_timewait_sock *tcptw = tcp_twsk(sk); | 794 | struct tcp_timewait_sock *tcptw = tcp_twsk(sk); |
| 792 | 795 | ||
| 793 | tcp_v4_send_ack(sock_net(sk), skb, | 796 | tcp_v4_send_ack(sk, skb, |
| 794 | tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt, | 797 | tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt, |
| 795 | tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale, | 798 | tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale, |
| 796 | tcp_time_stamp + tcptw->tw_ts_offset, | 799 | tcp_time_stamp + tcptw->tw_ts_offset, |
| @@ -818,7 +821,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, | |||
| 818 | * exception of <SYN> segments, MUST be right-shifted by | 821 | * exception of <SYN> segments, MUST be right-shifted by |
| 819 | * Rcv.Wind.Shift bits: | 822 | * Rcv.Wind.Shift bits: |
| 820 | */ | 823 | */ |
| 821 | tcp_v4_send_ack(sock_net(sk), skb, seq, | 824 | tcp_v4_send_ack(sk, skb, seq, |
| 822 | tcp_rsk(req)->rcv_nxt, | 825 | tcp_rsk(req)->rcv_nxt, |
| 823 | req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, | 826 | req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, |
| 824 | tcp_time_stamp, | 827 | tcp_time_stamp, |