userns: xt_owner: Add basic user namespace support.

- Only allow adding matches from the initial user namespace - Add the appropriate conversion functions to handle matches against sockets in other user namespaces. Cc: Jan Engelhardt <jengelh@medozas.de> Cc: Patrick McHardy <kaber@trash.net> Cc: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: David S. Miller <davem@davemloft.net> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2012-02-02 20:33:59 -0500
committer: Eric W. Biederman <ebiederm@xmission.com> 2012-08-15 00:55:30 -0400
commit: 26711a791effbea125fea4284f4d1c4fa8f7bc73 (patch)
tree: 154b021834f57aea5104fccd51ad0bfabd950103
parent: da7428080a15189c7acd266d514324f2a2e89e14 (diff)
2 files changed, 24 insertions, 7 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 40f50204dddb..76ffca9729b3 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -943,7 +943,6 @@ config UIDGID_CONVERTED
        # Networking
        depends on NET_9P = n
-        depends on NETFILTER_XT_MATCH_OWNER = n
        depends on AF_RXRPC = n
        depends on NET_KEY = n
        depends on DNS_RESOLVER = n
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 772d7389b337..ca2e577ed8ac 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -17,6 +17,17 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_owner.h>
+static int owner_check(const struct xt_mtchk_param *par)
+{
+        struct xt_owner_match_info *info = par->matchinfo;
+        /* For now only allow adding matches from the initial user namespace */
+        if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
+            (current_user_ns() != &init_user_ns))
+                return -EINVAL;
+        return 0;
+}
 static bool
 owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
@@ -37,17 +48,23 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
                return ((info->match ^ info->invert) &
                       (XT_OWNER_UID | XT_OWNER_GID)) == 0;
-        if (info->match & XT_OWNER_UID)
+        if (info->match & XT_OWNER_UID) {
-                if ((filp->f_cred->fsuid >= info->uid_min &&
+                kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
-                    filp->f_cred->fsuid <= info->uid_max) ^
+                kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
+                if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
+                     uid_lte(filp->f_cred->fsuid, uid_max)) ^
                    !(info->invert & XT_OWNER_UID))
                        return false;
+        }
-        if (info->match & XT_OWNER_GID)
+        if (info->match & XT_OWNER_GID) {
-                if ((filp->f_cred->fsgid >= info->gid_min &&
+                kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
-                    filp->f_cred->fsgid <= info->gid_max) ^
+                kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
+                if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
+                     gid_lte(filp->f_cred->fsgid, gid_max)) ^
                    !(info->invert & XT_OWNER_GID))
                        return false;
+        }
        return true;
 }
@@ -56,6 +73,7 @@ static struct xt_match owner_mt_reg __read_mostly = {
        .name       = "owner",
        .revision   = 1,
        .family     = NFPROTO_UNSPEC,
+        .checkentry = owner_check,
        .match      = owner_mt,
        .matchsize  = sizeof(struct xt_owner_match_info),
        .hooks      = (1 << NF_INET_LOCAL_OUT) |
author	Eric W. Biederman <ebiederm@xmission.com>	2012-02-02 20:33:59 -0500
committer	Eric W. Biederman <ebiederm@xmission.com>	2012-08-15 00:55:30 -0400
commit	26711a791effbea125fea4284f4d1c4fa8f7bc73 (patch)
tree	154b021834f57aea5104fccd51ad0bfabd950103
parent	da7428080a15189c7acd266d514324f2a2e89e14 (diff)