diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2012-05-25 17:50:59 -0400 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-08-15 00:55:29 -0400 |
| commit | 8c6e2a941ae74d850a7bf0e5b3f4cd567e0f27dc (patch) | |
| tree | 4233dd4dbac8f2631ab792d521deb68ae3027c52 | |
| parent | a6c6796c7127de55cfa9bb0cfbb082ec0acd4eab (diff) | |
userns: Convert xt_LOG to print socket kuids and kgids as uids and gids
xt_LOG always writes messages via sb_add via printk. Therefore when
xt_LOG logs the uid and gid of a socket a packet came from the
values should be converted to be in the initial user namespace.
Thus making xt_LOG as user namespace safe as possible.
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Patrick McHardy <kaber@trash.net>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
| -rw-r--r-- | init/Kconfig | 1 | ||||
| -rw-r--r-- | net/netfilter/xt_LOG.c | 16 |
2 files changed, 10 insertions, 7 deletions
diff --git a/init/Kconfig b/init/Kconfig index b44c3a390699..c8911eb6d500 100644 --- a/init/Kconfig +++ b/init/Kconfig | |||
| @@ -945,7 +945,6 @@ config UIDGID_CONVERTED | |||
| 945 | depends on NET_9P = n | 945 | depends on NET_9P = n |
| 946 | depends on NETFILTER_XT_MATCH_OWNER = n | 946 | depends on NETFILTER_XT_MATCH_OWNER = n |
| 947 | depends on NETFILTER_XT_MATCH_RECENT = n | 947 | depends on NETFILTER_XT_MATCH_RECENT = n |
| 948 | depends on NETFILTER_XT_TARGET_LOG = n | ||
| 949 | depends on AF_RXRPC = n | 948 | depends on AF_RXRPC = n |
| 950 | depends on NET_KEY = n | 949 | depends on NET_KEY = n |
| 951 | depends on DNS_RESOLVER = n | 950 | depends on DNS_RESOLVER = n |
diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c index ff5f75fddb15..02a2bf49dcbd 100644 --- a/net/netfilter/xt_LOG.c +++ b/net/netfilter/xt_LOG.c | |||
| @@ -363,10 +363,12 @@ static void dump_ipv4_packet(struct sbuff *m, | |||
| 363 | /* Max length: 15 "UID=4294967295 " */ | 363 | /* Max length: 15 "UID=4294967295 " */ |
| 364 | if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) { | 364 | if ((logflags & XT_LOG_UID) && !iphoff && skb->sk) { |
| 365 | read_lock_bh(&skb->sk->sk_callback_lock); | 365 | read_lock_bh(&skb->sk->sk_callback_lock); |
| 366 | if (skb->sk->sk_socket && skb->sk->sk_socket->file) | 366 | if (skb->sk->sk_socket && skb->sk->sk_socket->file) { |
| 367 | const struct cred *cred = skb->sk->sk_socket->file->f_cred; | ||
| 367 | sb_add(m, "UID=%u GID=%u ", | 368 | sb_add(m, "UID=%u GID=%u ", |
| 368 | skb->sk->sk_socket->file->f_cred->fsuid, | 369 | from_kuid_munged(&init_user_ns, cred->fsuid), |
| 369 | skb->sk->sk_socket->file->f_cred->fsgid); | 370 | from_kgid_munged(&init_user_ns, cred->fsgid)); |
| 371 | } | ||
| 370 | read_unlock_bh(&skb->sk->sk_callback_lock); | 372 | read_unlock_bh(&skb->sk->sk_callback_lock); |
| 371 | } | 373 | } |
| 372 | 374 | ||
| @@ -719,10 +721,12 @@ static void dump_ipv6_packet(struct sbuff *m, | |||
| 719 | /* Max length: 15 "UID=4294967295 " */ | 721 | /* Max length: 15 "UID=4294967295 " */ |
| 720 | if ((logflags & XT_LOG_UID) && recurse && skb->sk) { | 722 | if ((logflags & XT_LOG_UID) && recurse && skb->sk) { |
| 721 | read_lock_bh(&skb->sk->sk_callback_lock); | 723 | read_lock_bh(&skb->sk->sk_callback_lock); |
| 722 | if (skb->sk->sk_socket && skb->sk->sk_socket->file) | 724 | if (skb->sk->sk_socket && skb->sk->sk_socket->file) { |
| 725 | const struct cred *cred = skb->sk->sk_socket->file->f_cred; | ||
| 723 | sb_add(m, "UID=%u GID=%u ", | 726 | sb_add(m, "UID=%u GID=%u ", |
| 724 | skb->sk->sk_socket->file->f_cred->fsuid, | 727 | from_kuid_munged(&init_user_ns, cred->fsuid), |
| 725 | skb->sk->sk_socket->file->f_cred->fsgid); | 728 | from_kgid_munged(&init_user_ns, cred->fsgid)); |
| 729 | } | ||
| 726 | read_unlock_bh(&skb->sk->sk_callback_lock); | 730 | read_unlock_bh(&skb->sk->sk_callback_lock); |
| 727 | } | 731 | } |
| 728 | 732 | ||