aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/fib_rules.h9
-rw-r--r--include/net/flow.h5
-rw-r--r--include/uapi/linux/fib_rules.h6
-rw-r--r--include/uapi/linux/rtnetlink.h1
-rw-r--r--net/core/fib_rules.c74
-rw-r--r--net/ipv4/fib_frontend.c1
-rw-r--r--net/ipv4/route.c11
-rw-r--r--net/ipv6/route.c7
8 files changed, 111 insertions, 3 deletions
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 456e4a6006ab..8dbfdf728cd8 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -8,6 +8,11 @@
8#include <net/flow.h> 8#include <net/flow.h>
9#include <net/rtnetlink.h> 9#include <net/rtnetlink.h>
10 10
11struct fib_kuid_range {
12 kuid_t start;
13 kuid_t end;
14};
15
11struct fib_rule { 16struct fib_rule {
12 struct list_head list; 17 struct list_head list;
13 int iifindex; 18 int iifindex;
@@ -30,6 +35,7 @@ struct fib_rule {
30 int suppress_prefixlen; 35 int suppress_prefixlen;
31 char iifname[IFNAMSIZ]; 36 char iifname[IFNAMSIZ];
32 char oifname[IFNAMSIZ]; 37 char oifname[IFNAMSIZ];
38 struct fib_kuid_range uid_range;
33 struct rcu_head rcu; 39 struct rcu_head rcu;
34}; 40};
35 41
@@ -92,7 +98,8 @@ struct fib_rules_ops {
92 [FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 }, \ 98 [FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 }, \
93 [FRA_SUPPRESS_IFGROUP] = { .type = NLA_U32 }, \ 99 [FRA_SUPPRESS_IFGROUP] = { .type = NLA_U32 }, \
94 [FRA_GOTO] = { .type = NLA_U32 }, \ 100 [FRA_GOTO] = { .type = NLA_U32 }, \
95 [FRA_L3MDEV] = { .type = NLA_U8 } 101 [FRA_L3MDEV] = { .type = NLA_U8 }, \
102 [FRA_UID_RANGE] = { .len = sizeof(struct fib_rule_uid_range) }
96 103
97static inline void fib_rule_get(struct fib_rule *rule) 104static inline void fib_rule_get(struct fib_rule *rule)
98{ 105{
diff --git a/include/net/flow.h b/include/net/flow.h
index 035aa7716967..51373f3a5e31 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -11,6 +11,7 @@
11#include <linux/in6.h> 11#include <linux/in6.h>
12#include <linux/atomic.h> 12#include <linux/atomic.h>
13#include <net/flow_dissector.h> 13#include <net/flow_dissector.h>
14#include <linux/uidgid.h>
14 15
15/* 16/*
16 * ifindex generation is per-net namespace, and loopback is 17 * ifindex generation is per-net namespace, and loopback is
@@ -37,6 +38,7 @@ struct flowi_common {
37#define FLOWI_FLAG_SKIP_NH_OIF 0x04 38#define FLOWI_FLAG_SKIP_NH_OIF 0x04
38 __u32 flowic_secid; 39 __u32 flowic_secid;
39 struct flowi_tunnel flowic_tun_key; 40 struct flowi_tunnel flowic_tun_key;
41 kuid_t flowic_uid;
40}; 42};
41 43
42union flowi_uli { 44union flowi_uli {
@@ -74,6 +76,7 @@ struct flowi4 {
74#define flowi4_flags __fl_common.flowic_flags 76#define flowi4_flags __fl_common.flowic_flags
75#define flowi4_secid __fl_common.flowic_secid 77#define flowi4_secid __fl_common.flowic_secid
76#define flowi4_tun_key __fl_common.flowic_tun_key 78#define flowi4_tun_key __fl_common.flowic_tun_key
79#define flowi4_uid __fl_common.flowic_uid
77 80
78 /* (saddr,daddr) must be grouped, same order as in IP header */ 81 /* (saddr,daddr) must be grouped, same order as in IP header */
79 __be32 saddr; 82 __be32 saddr;
@@ -131,6 +134,7 @@ struct flowi6 {
131#define flowi6_flags __fl_common.flowic_flags 134#define flowi6_flags __fl_common.flowic_flags
132#define flowi6_secid __fl_common.flowic_secid 135#define flowi6_secid __fl_common.flowic_secid
133#define flowi6_tun_key __fl_common.flowic_tun_key 136#define flowi6_tun_key __fl_common.flowic_tun_key
137#define flowi6_uid __fl_common.flowic_uid
134 struct in6_addr daddr; 138 struct in6_addr daddr;
135 struct in6_addr saddr; 139 struct in6_addr saddr;
136 /* Note: flowi6_tos is encoded in flowlabel, too. */ 140 /* Note: flowi6_tos is encoded in flowlabel, too. */
@@ -176,6 +180,7 @@ struct flowi {
176#define flowi_flags u.__fl_common.flowic_flags 180#define flowi_flags u.__fl_common.flowic_flags
177#define flowi_secid u.__fl_common.flowic_secid 181#define flowi_secid u.__fl_common.flowic_secid
178#define flowi_tun_key u.__fl_common.flowic_tun_key 182#define flowi_tun_key u.__fl_common.flowic_tun_key
183#define flowi_uid u.__fl_common.flowic_uid
179} __attribute__((__aligned__(BITS_PER_LONG/8))); 184} __attribute__((__aligned__(BITS_PER_LONG/8)));
180 185
181static inline struct flowi *flowi4_to_flowi(struct flowi4 *fl4) 186static inline struct flowi *flowi4_to_flowi(struct flowi4 *fl4)
diff --git a/include/uapi/linux/fib_rules.h b/include/uapi/linux/fib_rules.h
index 14404b3ebb89..bbf02a63a011 100644
--- a/include/uapi/linux/fib_rules.h
+++ b/include/uapi/linux/fib_rules.h
@@ -29,6 +29,11 @@ struct fib_rule_hdr {
29 __u32 flags; 29 __u32 flags;
30}; 30};
31 31
32struct fib_rule_uid_range {
33 __u32 start;
34 __u32 end;
35};
36
32enum { 37enum {
33 FRA_UNSPEC, 38 FRA_UNSPEC,
34 FRA_DST, /* destination address */ 39 FRA_DST, /* destination address */
@@ -51,6 +56,7 @@ enum {
51 FRA_OIFNAME, 56 FRA_OIFNAME,
52 FRA_PAD, 57 FRA_PAD,
53 FRA_L3MDEV, /* iif or oif is l3mdev goto its table */ 58 FRA_L3MDEV, /* iif or oif is l3mdev goto its table */
59 FRA_UID_RANGE, /* UID range */
54 __FRA_MAX 60 __FRA_MAX
55}; 61};
56 62
diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
index 5a78be518101..e14377f2ec27 100644
--- a/include/uapi/linux/rtnetlink.h
+++ b/include/uapi/linux/rtnetlink.h
@@ -318,6 +318,7 @@ enum rtattr_type_t {
318 RTA_ENCAP, 318 RTA_ENCAP,
319 RTA_EXPIRES, 319 RTA_EXPIRES,
320 RTA_PAD, 320 RTA_PAD,
321 RTA_UID,
321 __RTA_MAX 322 __RTA_MAX
322}; 323};
323 324
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index be4629c344a6..5de436a73be2 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -18,6 +18,11 @@
18#include <net/fib_rules.h> 18#include <net/fib_rules.h>
19#include <net/ip_tunnels.h> 19#include <net/ip_tunnels.h>
20 20
21static const struct fib_kuid_range fib_kuid_range_unset = {
22 KUIDT_INIT(0),
23 KUIDT_INIT(~0),
24};
25
21int fib_default_rule_add(struct fib_rules_ops *ops, 26int fib_default_rule_add(struct fib_rules_ops *ops,
22 u32 pref, u32 table, u32 flags) 27 u32 pref, u32 table, u32 flags)
23{ 28{
@@ -33,6 +38,7 @@ int fib_default_rule_add(struct fib_rules_ops *ops,
33 r->table = table; 38 r->table = table;
34 r->flags = flags; 39 r->flags = flags;
35 r->fr_net = ops->fro_net; 40 r->fr_net = ops->fro_net;
41 r->uid_range = fib_kuid_range_unset;
36 42
37 r->suppress_prefixlen = -1; 43 r->suppress_prefixlen = -1;
38 r->suppress_ifgroup = -1; 44 r->suppress_ifgroup = -1;
@@ -172,6 +178,34 @@ void fib_rules_unregister(struct fib_rules_ops *ops)
172} 178}
173EXPORT_SYMBOL_GPL(fib_rules_unregister); 179EXPORT_SYMBOL_GPL(fib_rules_unregister);
174 180
181static int uid_range_set(struct fib_kuid_range *range)
182{
183 return uid_valid(range->start) && uid_valid(range->end);
184}
185
186static struct fib_kuid_range nla_get_kuid_range(struct nlattr **tb)
187{
188 struct fib_rule_uid_range *in;
189 struct fib_kuid_range out;
190
191 in = (struct fib_rule_uid_range *)nla_data(tb[FRA_UID_RANGE]);
192
193 out.start = make_kuid(current_user_ns(), in->start);
194 out.end = make_kuid(current_user_ns(), in->end);
195
196 return out;
197}
198
199static int nla_put_uid_range(struct sk_buff *skb, struct fib_kuid_range *range)
200{
201 struct fib_rule_uid_range out = {
202 from_kuid_munged(current_user_ns(), range->start),
203 from_kuid_munged(current_user_ns(), range->end)
204 };
205
206 return nla_put(skb, FRA_UID_RANGE, sizeof(out), &out);
207}
208
175static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops, 209static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
176 struct flowi *fl, int flags, 210 struct flowi *fl, int flags,
177 struct fib_lookup_arg *arg) 211 struct fib_lookup_arg *arg)
@@ -193,6 +227,10 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
193 if (rule->l3mdev && !l3mdev_fib_rule_match(rule->fr_net, fl, arg)) 227 if (rule->l3mdev && !l3mdev_fib_rule_match(rule->fr_net, fl, arg))
194 goto out; 228 goto out;
195 229
230 if (uid_lt(fl->flowi_uid, rule->uid_range.start) ||
231 uid_gt(fl->flowi_uid, rule->uid_range.end))
232 goto out;
233
196 ret = ops->match(rule, fl, flags); 234 ret = ops->match(rule, fl, flags);
197out: 235out:
198 return (rule->flags & FIB_RULE_INVERT) ? !ret : ret; 236 return (rule->flags & FIB_RULE_INVERT) ? !ret : ret;
@@ -429,6 +467,21 @@ int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh)
429 if (rule->l3mdev && rule->table) 467 if (rule->l3mdev && rule->table)
430 goto errout_free; 468 goto errout_free;
431 469
470 if (tb[FRA_UID_RANGE]) {
471 if (current_user_ns() != net->user_ns) {
472 err = -EPERM;
473 goto errout_free;
474 }
475
476 rule->uid_range = nla_get_kuid_range(tb);
477
478 if (!uid_range_set(&rule->uid_range) ||
479 !uid_lte(rule->uid_range.start, rule->uid_range.end))
480 goto errout_free;
481 } else {
482 rule->uid_range = fib_kuid_range_unset;
483 }
484
432 if ((nlh->nlmsg_flags & NLM_F_EXCL) && 485 if ((nlh->nlmsg_flags & NLM_F_EXCL) &&
433 rule_exists(ops, frh, tb, rule)) { 486 rule_exists(ops, frh, tb, rule)) {
434 err = -EEXIST; 487 err = -EEXIST;
@@ -497,6 +550,7 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh)
497 struct fib_rules_ops *ops = NULL; 550 struct fib_rules_ops *ops = NULL;
498 struct fib_rule *rule, *tmp; 551 struct fib_rule *rule, *tmp;
499 struct nlattr *tb[FRA_MAX+1]; 552 struct nlattr *tb[FRA_MAX+1];
553 struct fib_kuid_range range;
500 int err = -EINVAL; 554 int err = -EINVAL;
501 555
502 if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) 556 if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
@@ -516,6 +570,14 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh)
516 if (err < 0) 570 if (err < 0)
517 goto errout; 571 goto errout;
518 572
573 if (tb[FRA_UID_RANGE]) {
574 range = nla_get_kuid_range(tb);
575 if (!uid_range_set(&range))
576 goto errout;
577 } else {
578 range = fib_kuid_range_unset;
579 }
580
519 list_for_each_entry(rule, &ops->rules_list, list) { 581 list_for_each_entry(rule, &ops->rules_list, list) {
520 if (frh->action && (frh->action != rule->action)) 582 if (frh->action && (frh->action != rule->action))
521 continue; 583 continue;
@@ -552,6 +614,11 @@ int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh)
552 (rule->l3mdev != nla_get_u8(tb[FRA_L3MDEV]))) 614 (rule->l3mdev != nla_get_u8(tb[FRA_L3MDEV])))
553 continue; 615 continue;
554 616
617 if (uid_range_set(&range) &&
618 (!uid_eq(rule->uid_range.start, range.start) ||
619 !uid_eq(rule->uid_range.end, range.end)))
620 continue;
621
555 if (!ops->compare(rule, frh, tb)) 622 if (!ops->compare(rule, frh, tb))
556 continue; 623 continue;
557 624
@@ -619,7 +686,8 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
619 + nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */ 686 + nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */
620 + nla_total_size(4) /* FRA_FWMARK */ 687 + nla_total_size(4) /* FRA_FWMARK */
621 + nla_total_size(4) /* FRA_FWMASK */ 688 + nla_total_size(4) /* FRA_FWMASK */
622 + nla_total_size_64bit(8); /* FRA_TUN_ID */ 689 + nla_total_size_64bit(8) /* FRA_TUN_ID */
690 + nla_total_size(sizeof(struct fib_kuid_range));
623 691
624 if (ops->nlmsg_payload) 692 if (ops->nlmsg_payload)
625 payload += ops->nlmsg_payload(rule); 693 payload += ops->nlmsg_payload(rule);
@@ -679,7 +747,9 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
679 (rule->tun_id && 747 (rule->tun_id &&
680 nla_put_be64(skb, FRA_TUN_ID, rule->tun_id, FRA_PAD)) || 748 nla_put_be64(skb, FRA_TUN_ID, rule->tun_id, FRA_PAD)) ||
681 (rule->l3mdev && 749 (rule->l3mdev &&
682 nla_put_u8(skb, FRA_L3MDEV, rule->l3mdev))) 750 nla_put_u8(skb, FRA_L3MDEV, rule->l3mdev)) ||
751 (uid_range_set(&rule->uid_range) &&
752 nla_put_uid_range(skb, &rule->uid_range)))
683 goto nla_put_failure; 753 goto nla_put_failure;
684 754
685 if (rule->suppress_ifgroup != -1) { 755 if (rule->suppress_ifgroup != -1) {
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index c3b80478226e..d93eea8e2409 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -610,6 +610,7 @@ const struct nla_policy rtm_ipv4_policy[RTA_MAX + 1] = {
610 [RTA_FLOW] = { .type = NLA_U32 }, 610 [RTA_FLOW] = { .type = NLA_U32 },
611 [RTA_ENCAP_TYPE] = { .type = NLA_U16 }, 611 [RTA_ENCAP_TYPE] = { .type = NLA_U16 },
612 [RTA_ENCAP] = { .type = NLA_NESTED }, 612 [RTA_ENCAP] = { .type = NLA_NESTED },
613 [RTA_UID] = { .type = NLA_U32 },
613}; 614};
614 615
615static int rtm_to_fib_config(struct net *net, struct sk_buff *skb, 616static int rtm_to_fib_config(struct net *net, struct sk_buff *skb,
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 4392db83d540..92e59a638d3b 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2504,6 +2504,11 @@ static int rt_fill_info(struct net *net, __be32 dst, __be32 src, u32 table_id,
2504 nla_put_u32(skb, RTA_MARK, fl4->flowi4_mark)) 2504 nla_put_u32(skb, RTA_MARK, fl4->flowi4_mark))
2505 goto nla_put_failure; 2505 goto nla_put_failure;
2506 2506
2507 if (!uid_eq(fl4->flowi4_uid, INVALID_UID) &&
2508 nla_put_u32(skb, RTA_UID,
2509 from_kuid_munged(current_user_ns(), fl4->flowi4_uid)))
2510 goto nla_put_failure;
2511
2507 error = rt->dst.error; 2512 error = rt->dst.error;
2508 2513
2509 if (rt_is_input_route(rt)) { 2514 if (rt_is_input_route(rt)) {
@@ -2556,6 +2561,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
2556 int mark; 2561 int mark;
2557 struct sk_buff *skb; 2562 struct sk_buff *skb;
2558 u32 table_id = RT_TABLE_MAIN; 2563 u32 table_id = RT_TABLE_MAIN;
2564 kuid_t uid;
2559 2565
2560 err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv4_policy); 2566 err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv4_policy);
2561 if (err < 0) 2567 if (err < 0)
@@ -2583,6 +2589,10 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
2583 dst = tb[RTA_DST] ? nla_get_in_addr(tb[RTA_DST]) : 0; 2589 dst = tb[RTA_DST] ? nla_get_in_addr(tb[RTA_DST]) : 0;
2584 iif = tb[RTA_IIF] ? nla_get_u32(tb[RTA_IIF]) : 0; 2590 iif = tb[RTA_IIF] ? nla_get_u32(tb[RTA_IIF]) : 0;
2585 mark = tb[RTA_MARK] ? nla_get_u32(tb[RTA_MARK]) : 0; 2591 mark = tb[RTA_MARK] ? nla_get_u32(tb[RTA_MARK]) : 0;
2592 if (tb[RTA_UID])
2593 uid = make_kuid(current_user_ns(), nla_get_u32(tb[RTA_UID]));
2594 else
2595 uid = (iif ? INVALID_UID : current_uid());
2586 2596
2587 memset(&fl4, 0, sizeof(fl4)); 2597 memset(&fl4, 0, sizeof(fl4));
2588 fl4.daddr = dst; 2598 fl4.daddr = dst;
@@ -2590,6 +2600,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
2590 fl4.flowi4_tos = rtm->rtm_tos; 2600 fl4.flowi4_tos = rtm->rtm_tos;
2591 fl4.flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0; 2601 fl4.flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0;
2592 fl4.flowi4_mark = mark; 2602 fl4.flowi4_mark = mark;
2603 fl4.flowi4_uid = uid;
2593 2604
2594 if (iif) { 2605 if (iif) {
2595 struct net_device *dev; 2606 struct net_device *dev;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 947ed1ded026..fdb9c87137bd 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2797,6 +2797,7 @@ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = {
2797 [RTA_ENCAP_TYPE] = { .type = NLA_U16 }, 2797 [RTA_ENCAP_TYPE] = { .type = NLA_U16 },
2798 [RTA_ENCAP] = { .type = NLA_NESTED }, 2798 [RTA_ENCAP] = { .type = NLA_NESTED },
2799 [RTA_EXPIRES] = { .type = NLA_U32 }, 2799 [RTA_EXPIRES] = { .type = NLA_U32 },
2800 [RTA_UID] = { .type = NLA_U32 },
2800}; 2801};
2801 2802
2802static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh, 2803static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
@@ -3371,6 +3372,12 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
3371 if (tb[RTA_MARK]) 3372 if (tb[RTA_MARK])
3372 fl6.flowi6_mark = nla_get_u32(tb[RTA_MARK]); 3373 fl6.flowi6_mark = nla_get_u32(tb[RTA_MARK]);
3373 3374
3375 if (tb[RTA_UID])
3376 fl6.flowi6_uid = make_kuid(current_user_ns(),
3377 nla_get_u32(tb[RTA_UID]));
3378 else
3379 fl6.flowi6_uid = iif ? INVALID_UID : current_uid();
3380
3374 if (iif) { 3381 if (iif) {
3375 struct net_device *dev; 3382 struct net_device *dev;
3376 int flags = 0; 3383 int flags = 0;
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-27 00:12:32 -0400