diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2016-11-03 13:23:43 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-11-04 14:45:23 -0400 |
| commit | e2d118a1cb5e60d077131a09db1d81b90a5295fe (patch) | |
| tree | f109076016c45e08e34de647441fff19b4ecc2b6 /net/ipv6/tcp_ipv6.c | |
| parent | 622ec2c9d52405973c9f1ca5116eb1c393adfc7d (diff) | |
net: inet: Support UID-based routing in IP protocols.
- Use the UID in routing lookups made by protocol connect() and
sendmsg() functions.
- Make sure that routing lookups triggered by incoming packets
(e.g., Path MTU discovery) take the UID of the socket into
account.
- For packets not associated with a userspace socket, (e.g., ping
replies) use UID 0 inside the user namespace corresponding to
the network namespace the socket belongs to. This allows
all namespaces to apply routing and iptables rules to
kernel-originated traffic in that namespaces by matching UID 0.
This is better than using the UID of the kernel socket that is
sending the traffic, because the UID of kernel sockets created
at namespace creation time (e.g., the per-processor ICMP and
TCP sockets) is the UID of the user that created the socket,
which might not be mapped in the namespace.
Tested: compiles allnoconfig, allyesconfig, allmodconfig
Tested: https://android-review.googlesource.com/253302
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/tcp_ipv6.c')
| -rw-r--r-- | net/ipv6/tcp_ipv6.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 5a27ab4eab39..aece1b15e744 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c | |||
| @@ -233,6 +233,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, | |||
| 233 | fl6.flowi6_mark = sk->sk_mark; | 233 | fl6.flowi6_mark = sk->sk_mark; |
| 234 | fl6.fl6_dport = usin->sin6_port; | 234 | fl6.fl6_dport = usin->sin6_port; |
| 235 | fl6.fl6_sport = inet->inet_sport; | 235 | fl6.fl6_sport = inet->inet_sport; |
| 236 | fl6.flowi6_uid = sk->sk_uid; | ||
| 236 | 237 | ||
| 237 | opt = rcu_dereference_protected(np->opt, lockdep_sock_is_held(sk)); | 238 | opt = rcu_dereference_protected(np->opt, lockdep_sock_is_held(sk)); |
| 238 | final_p = fl6_update_dst(&fl6, opt, &final); | 239 | final_p = fl6_update_dst(&fl6, opt, &final); |
| @@ -824,6 +825,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 | |||
| 824 | fl6.flowi6_mark = IP6_REPLY_MARK(net, skb->mark); | 825 | fl6.flowi6_mark = IP6_REPLY_MARK(net, skb->mark); |
| 825 | fl6.fl6_dport = t1->dest; | 826 | fl6.fl6_dport = t1->dest; |
| 826 | fl6.fl6_sport = t1->source; | 827 | fl6.fl6_sport = t1->source; |
| 828 | fl6.flowi6_uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL); | ||
| 827 | security_skb_classify_flow(skb, flowi6_to_flowi(&fl6)); | 829 | security_skb_classify_flow(skb, flowi6_to_flowi(&fl6)); |
| 828 | 830 | ||
| 829 | /* Pass a socket to ip6_dst_lookup either it is for RST | 831 | /* Pass a socket to ip6_dst_lookup either it is for RST |