aboutsummaryrefslogtreecommitdiffstats
path: root/init
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-05-25 15:49:36 -0400
committerEric W. Biederman <ebiederm@xmission.com>2012-08-15 00:55:28 -0400
commita6c6796c7127de55cfa9bb0cfbb082ec0acd4eab (patch)
tree6723b8c4c3c2ca58e1988e72191468e51299f2a1 /init
parentaf4c6641f5ad445fe6d0832da42406dbd9a37ce4 (diff)
userns: Convert cls_flow to work with user namespaces enabled
The flow classifier can use uids and gids of the sockets that are transmitting packets and do insert those uids and gids into the packet classification calcuation. I don't fully understand the details but it appears that we can depend on specific uids and gids when making traffic classification decisions. To work with user namespaces enabled map from kuids and kgids into uids and gids in the initial user namespace giving raw integer values the code can play with and depend on. To avoid issues of userspace depending on uids and gids in packet classifiers installed from other user namespaces and getting confused deny all packet classifiers that use uids or gids that are not comming from a netlink socket in the initial user namespace. Cc: Patrick McHardy <kaber@trash.net> Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: Changli Gao <xiaosuo@gmail.com> Acked-by: David S. Miller <davem@davemloft.net> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'init')
-rw-r--r--init/Kconfig1
1 files changed, 0 insertions, 1 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 2660b312ae9d..b44c3a390699 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -943,7 +943,6 @@ config UIDGID_CONVERTED
943 943
944 # Networking 944 # Networking
945 depends on NET_9P = n 945 depends on NET_9P = n
946 depends on NET_CLS_FLOW = n
947 depends on NETFILTER_XT_MATCH_OWNER = n 946 depends on NETFILTER_XT_MATCH_OWNER = n
948 depends on NETFILTER_XT_MATCH_RECENT = n 947 depends on NETFILTER_XT_MATCH_RECENT = n
949 depends on NETFILTER_XT_TARGET_LOG = n 948 depends on NETFILTER_XT_TARGET_LOG = n