5 files changed, 12 insertions, 158 deletions
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
index 5e361ef44e87..541300531cb3 100644
--- a/include/linux/netfilter_ipv4/Kbuild
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -28,7 +28,6 @@ header-y += ipt_limit.h
 header-y += ipt_mac.h
 header-y += ipt_mark.h
 header-y += ipt_multiport.h
-header-y += ipt_owner.h
 header-y += ipt_physdev.h
 header-y += ipt_pkttype.h
 header-y += ipt_policy.h
diff --git a/include/linux/netfilter_ipv4/ipt_owner.h b/include/linux/netfilter_ipv4/ipt_owner.h
deleted file mode 100644
index a78445be9992..000000000000
--- a/include/linux/netfilter_ipv4/ipt_owner.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef _IPT_OWNER_H
-#define _IPT_OWNER_H
-/* match and invert flags */
-#define IPT_OWNER_UID   0x01
-#define IPT_OWNER_GID   0x02
-#define IPT_OWNER_PID   0x04
-#define IPT_OWNER_SID   0x08
-#define IPT_OWNER_COMM  0x10
-struct ipt_owner_info {
-    __kernel_uid32_t uid;
-    __kernel_gid32_t gid;
-    __kernel_pid_t pid;
-    __kernel_pid_t sid;
-    char comm[16];
-    u_int8_t match, invert;     /* flags */
-};
-#endif /*_IPT_OWNER_H*/
diff --git a/include/linux/netfilter_ipv6/Kbuild b/include/linux/netfilter_ipv6/Kbuild
index aca4bd1f6d7c..4610a16da0ab 100644
--- a/include/linux/netfilter_ipv6/Kbuild
+++ b/include/linux/netfilter_ipv6/Kbuild
@@ -14,7 +14,6 @@ header-y += ip6t_mark.h
 header-y += ip6t_mh.h
 header-y += ip6t_multiport.h
 header-y += ip6t_opts.h
-header-y += ip6t_owner.h
 header-y += ip6t_physdev.h
 header-y += ip6t_policy.h
 header-y += ip6t_rt.h
diff --git a/include/linux/netfilter_ipv6/ip6t_owner.h b/include/linux/netfilter_ipv6/ip6t_owner.h
deleted file mode 100644
index ec5cc7a38c42..000000000000
--- a/include/linux/netfilter_ipv6/ip6t_owner.h
+++ /dev/null
@@ -1,18 +0,0 @@
-#ifndef _IP6T_OWNER_H
-#define _IP6T_OWNER_H
-/* match and invert flags */
-#define IP6T_OWNER_UID  0x01
-#define IP6T_OWNER_GID  0x02
-#define IP6T_OWNER_PID  0x04
-#define IP6T_OWNER_SID  0x08
-struct ip6t_owner_info {
-    __kernel_uid32_t uid;
-    __kernel_gid32_t gid;
-    __kernel_pid_t pid;
-    __kernel_pid_t sid;
-    u_int8_t match, invert;     /* flags */
-};
-#endif /*_IPT_OWNER_H*/
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 22b2a5e881ea..d24c76dffee2 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -5,7 +5,6 @@
 * (C) 2000 Marc Boucher <marc@mbsi.ca>
 *
 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
- * <jengelh@computergmbh.de>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
@@ -17,60 +16,6 @@
 #include <net/sock.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_owner.h>
-#include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv6/ip6t_owner.h>
-static bool
-owner_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct ipt_owner_info *info = par->matchinfo;
-        const struct file *filp;
-        if (skb->sk == NULL || skb->sk->sk_socket == NULL)
-                return false;
-        filp = skb->sk->sk_socket->file;
-        if (filp == NULL)
-                return false;
-        if (info->match & IPT_OWNER_UID)
-                if ((filp->f_cred->fsuid != info->uid) ^
-                    !!(info->invert & IPT_OWNER_UID))
-                        return false;
-        if (info->match & IPT_OWNER_GID)
-                if ((filp->f_cred->fsgid != info->gid) ^
-                    !!(info->invert & IPT_OWNER_GID))
-                        return false;
-        return true;
-}
-static bool
-owner_mt6_v0(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct ip6t_owner_info *info = par->matchinfo;
-        const struct file *filp;
-        if (skb->sk == NULL || skb->sk->sk_socket == NULL)
-                return false;
-        filp = skb->sk->sk_socket->file;
-        if (filp == NULL)
-                return false;
-        if (info->match & IP6T_OWNER_UID)
-                if ((filp->f_cred->fsuid != info->uid) ^
-                    !!(info->invert & IP6T_OWNER_UID))
-                        return false;
-        if (info->match & IP6T_OWNER_GID)
-                if ((filp->f_cred->fsgid != info->gid) ^
-                    !!(info->invert & IP6T_OWNER_GID))
-                        return false;
-        return true;
-}
 static bool
 owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -107,81 +52,30 @@ owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool owner_mt_check_v0(const struct xt_mtchk_param *par)
+static struct xt_match owner_mt_reg __read_mostly = {
-{
+        .name       = "owner",
-        const struct ipt_owner_info *info = par->matchinfo;
+        .revision   = 1,
+        .family     = NFPROTO_UNSPEC,
-        if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
+        .match      = owner_mt,
-                printk(KERN_WARNING KBUILD_MODNAME
+        .matchsize  = sizeof(struct xt_owner_match_info),
-                       ": PID, SID and command matching is not "
+        .hooks      = (1 << NF_INET_LOCAL_OUT) |
-                       "supported anymore\n");
+                      (1 << NF_INET_POST_ROUTING),
-                return false;
+        .me         = THIS_MODULE,
-        }
-        return true;
-}
-static bool owner_mt6_check_v0(const struct xt_mtchk_param *par)
-{
-        const struct ip6t_owner_info *info = par->matchinfo;
-        if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
-                printk(KERN_WARNING KBUILD_MODNAME
-                       ": PID and SID matching is not supported anymore\n");
-                return false;
-        }
-        return true;
-}
-static struct xt_match owner_mt_reg[] __read_mostly = {
-        {
-                .name       = "owner",
-                .revision   = 0,
-                .family     = NFPROTO_IPV4,
-                .match      = owner_mt_v0,
-                .matchsize  = sizeof(struct ipt_owner_info),
-                .checkentry = owner_mt_check_v0,
-                .hooks      = (1 << NF_INET_LOCAL_OUT) |
-                              (1 << NF_INET_POST_ROUTING),
-                .me         = THIS_MODULE,
-        },
-        {
-                .name       = "owner",
-                .revision   = 0,
-                .family     = NFPROTO_IPV6,
-                .match      = owner_mt6_v0,
-                .matchsize  = sizeof(struct ip6t_owner_info),
-                .checkentry = owner_mt6_check_v0,
-                .hooks      = (1 << NF_INET_LOCAL_OUT) |
-                              (1 << NF_INET_POST_ROUTING),
-                .me         = THIS_MODULE,
-        },
-        {
-                .name       = "owner",
-                .revision   = 1,
-                .family     = NFPROTO_UNSPEC,
-                .match      = owner_mt,
-                .matchsize  = sizeof(struct xt_owner_match_info),
-                .hooks      = (1 << NF_INET_LOCAL_OUT) |
-                              (1 << NF_INET_POST_ROUTING),
-                .me         = THIS_MODULE,
-        },
 };
 static int __init owner_mt_init(void)
 {
-        return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+        return xt_register_match(&owner_mt_reg);
 }
 static void __exit owner_mt_exit(void)
 {
-        xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+        xt_unregister_match(&owner_mt_reg);
 }
 module_init(owner_mt_init);
 module_exit(owner_mt_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: socket owner matching");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_owner");

diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild index 5e361ef44e87..541300531cb3 100644 --- a/include/linux/netfilter_ipv4/Kbuild +++ b/include/linux/netfilter_ipv4/Kbuild
@@ -28,7 +28,6 @@ header-y += ipt_limit.h
28	header-y += ipt_mac.h	28	header-y += ipt_mac.h
29	header-y += ipt_mark.h	29	header-y += ipt_mark.h
30	header-y += ipt_multiport.h	30	header-y += ipt_multiport.h
31	header-y += ipt_owner.h
32	header-y += ipt_physdev.h	31	header-y += ipt_physdev.h
33	header-y += ipt_pkttype.h	32	header-y += ipt_pkttype.h
34	header-y += ipt_policy.h	33	header-y += ipt_policy.h


diff --git a/include/linux/netfilter_ipv4/ipt_owner.h b/include/linux/netfilter_ipv4/ipt_owner.h deleted file mode 100644 index a78445be9992..000000000000 --- a/include/linux/netfilter_ipv4/ipt_owner.h +++ /dev/null
@@ -1,20 +0,0 @@
1	#ifndef _IPT_OWNER_H
2	#define _IPT_OWNER_H
3
4	/* match and invert flags */
5	#define IPT_OWNER_UID 0x01
6	#define IPT_OWNER_GID 0x02
7	#define IPT_OWNER_PID 0x04
8	#define IPT_OWNER_SID 0x08
9	#define IPT_OWNER_COMM 0x10
10
11	struct ipt_owner_info {
12	__kernel_uid32_t uid;
13	__kernel_gid32_t gid;
14	__kernel_pid_t pid;
15	__kernel_pid_t sid;
16	char comm[16];
17	u_int8_t match, invert; /* flags */
18	};
19
20	#endif /_IPT_OWNER_H/


diff --git a/include/linux/netfilter_ipv6/Kbuild b/include/linux/netfilter_ipv6/Kbuild index aca4bd1f6d7c..4610a16da0ab 100644 --- a/include/linux/netfilter_ipv6/Kbuild +++ b/include/linux/netfilter_ipv6/Kbuild
@@ -14,7 +14,6 @@ header-y += ip6t_mark.h
14	header-y += ip6t_mh.h	14	header-y += ip6t_mh.h
15	header-y += ip6t_multiport.h	15	header-y += ip6t_multiport.h
16	header-y += ip6t_opts.h	16	header-y += ip6t_opts.h
17	header-y += ip6t_owner.h
18	header-y += ip6t_physdev.h	17	header-y += ip6t_physdev.h
19	header-y += ip6t_policy.h	18	header-y += ip6t_policy.h
20	header-y += ip6t_rt.h	19	header-y += ip6t_rt.h


diff --git a/include/linux/netfilter_ipv6/ip6t_owner.h b/include/linux/netfilter_ipv6/ip6t_owner.h deleted file mode 100644 index ec5cc7a38c42..000000000000 --- a/include/linux/netfilter_ipv6/ip6t_owner.h +++ /dev/null
@@ -1,18 +0,0 @@
1	#ifndef _IP6T_OWNER_H
2	#define _IP6T_OWNER_H
3
4	/* match and invert flags */
5	#define IP6T_OWNER_UID 0x01
6	#define IP6T_OWNER_GID 0x02
7	#define IP6T_OWNER_PID 0x04
8	#define IP6T_OWNER_SID 0x08
9
10	struct ip6t_owner_info {
11	__kernel_uid32_t uid;
12	__kernel_gid32_t gid;
13	__kernel_pid_t pid;
14	__kernel_pid_t sid;
15	u_int8_t match, invert; /* flags */
16	};
17
18	#endif /_IPT_OWNER_H/


diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c index 22b2a5e881ea..d24c76dffee2 100644 --- a/net/netfilter/xt_owner.c +++ b/net/netfilter/xt_owner.c
@@ -5,7 +5,6 @@
5	* (C) 2000 Marc Boucher <marc@mbsi.ca>	5	* (C) 2000 Marc Boucher <marc@mbsi.ca>
6	*	6	*
7	* Copyright © CC Computer Consultants GmbH, 2007 - 2008	7	* Copyright © CC Computer Consultants GmbH, 2007 - 2008
8	* <jengelh@computergmbh.de>
9	*	8	*
10	* This program is free software; you can redistribute it and/or modify	9	* This program is free software; you can redistribute it and/or modify
11	* it under the terms of the GNU General Public License version 2 as	10	* it under the terms of the GNU General Public License version 2 as
@@ -17,60 +16,6 @@
17	#include <net/sock.h>	16	#include <net/sock.h>
18	#include <linux/netfilter/x_tables.h>	17	#include <linux/netfilter/x_tables.h>
19	#include <linux/netfilter/xt_owner.h>	18	#include <linux/netfilter/xt_owner.h>
20	#include <linux/netfilter_ipv4/ipt_owner.h>
21	#include <linux/netfilter_ipv6/ip6t_owner.h>
22
23	static bool
24	owner_mt_v0(const struct sk_buff skb, const struct xt_match_param par)
25	{
26	const struct ipt_owner_info *info = par->matchinfo;
27	const struct file *filp;
28
29	if (skb->sk == NULL \|\| skb->sk->sk_socket == NULL)
30	return false;
31
32	filp = skb->sk->sk_socket->file;
33	if (filp == NULL)
34	return false;
35
36	if (info->match & IPT_OWNER_UID)
37	if ((filp->f_cred->fsuid != info->uid) ^
38	!!(info->invert & IPT_OWNER_UID))
39	return false;
40
41	if (info->match & IPT_OWNER_GID)
42	if ((filp->f_cred->fsgid != info->gid) ^
43	!!(info->invert & IPT_OWNER_GID))
44	return false;
45
46	return true;
47	}
48
49	static bool
50	owner_mt6_v0(const struct sk_buff skb, const struct xt_match_param par)
51	{
52	const struct ip6t_owner_info *info = par->matchinfo;
53	const struct file *filp;
54
55	if (skb->sk == NULL \|\| skb->sk->sk_socket == NULL)
56	return false;
57
58	filp = skb->sk->sk_socket->file;
59	if (filp == NULL)
60	return false;
61
62	if (info->match & IP6T_OWNER_UID)
63	if ((filp->f_cred->fsuid != info->uid) ^
64	!!(info->invert & IP6T_OWNER_UID))
65	return false;
66
67	if (info->match & IP6T_OWNER_GID)
68	if ((filp->f_cred->fsgid != info->gid) ^
69	!!(info->invert & IP6T_OWNER_GID))
70	return false;
71
72	return true;
73	}
74		19
75	static bool	20	static bool
76	owner_mt(const struct sk_buff skb, const struct xt_match_param par)	21	owner_mt(const struct sk_buff skb, const struct xt_match_param par)
@@ -107,81 +52,30 @@ owner_mt(const struct sk_buff skb, const struct xt_match_param par)
107	return true;	52	return true;
108	}	53	}
109		54
110	static bool owner_mt_check_v0(const struct xt_mtchk_param *par)	55	static struct xt_match owner_mt_reg __read_mostly = {
111	{	56	.name = "owner",
112	const struct ipt_owner_info *info = par->matchinfo;	57	.revision = 1,
113		58	.family = NFPROTO_UNSPEC,
114	if (info->match & (IPT_OWNER_PID \| IPT_OWNER_SID \| IPT_OWNER_COMM)) {	59	.match = owner_mt,
115	printk(KERN_WARNING KBUILD_MODNAME	60	.matchsize = sizeof(struct xt_owner_match_info),
116	": PID, SID and command matching is not "	61	.hooks = (1 << NF_INET_LOCAL_OUT) \|
117	"supported anymore\n");	62	(1 << NF_INET_POST_ROUTING),
118	return false;	63	.me = THIS_MODULE,
119	}
120
121	return true;
122	}
123
124	static bool owner_mt6_check_v0(const struct xt_mtchk_param *par)
125	{
126	const struct ip6t_owner_info *info = par->matchinfo;
127
128	if (info->match & (IP6T_OWNER_PID \| IP6T_OWNER_SID)) {
129	printk(KERN_WARNING KBUILD_MODNAME
130	": PID and SID matching is not supported anymore\n");
131	return false;
132	}
133
134	return true;
135	}
136
137	static struct xt_match owner_mt_reg[] __read_mostly = {
138	{
139	.name = "owner",
140	.revision = 0,
141	.family = NFPROTO_IPV4,
142	.match = owner_mt_v0,
143	.matchsize = sizeof(struct ipt_owner_info),
144	.checkentry = owner_mt_check_v0,
145	.hooks = (1 << NF_INET_LOCAL_OUT) \|
146	(1 << NF_INET_POST_ROUTING),
147	.me = THIS_MODULE,
148	},
149	{
150	.name = "owner",
151	.revision = 0,
152	.family = NFPROTO_IPV6,
153	.match = owner_mt6_v0,
154	.matchsize = sizeof(struct ip6t_owner_info),
155	.checkentry = owner_mt6_check_v0,
156	.hooks = (1 << NF_INET_LOCAL_OUT) \|
157	(1 << NF_INET_POST_ROUTING),
158	.me = THIS_MODULE,
159	},
160	{
161	.name = "owner",
162	.revision = 1,
163	.family = NFPROTO_UNSPEC,
164	.match = owner_mt,
165	.matchsize = sizeof(struct xt_owner_match_info),
166	.hooks = (1 << NF_INET_LOCAL_OUT) \|
167	(1 << NF_INET_POST_ROUTING),
168	.me = THIS_MODULE,
169	},
170	};	64	};
171		65
172	static int __init owner_mt_init(void)	66	static int __init owner_mt_init(void)
173	{	67	{
174	return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));	68	return xt_register_match(&owner_mt_reg);
175	}	69	}
176		70
177	static void __exit owner_mt_exit(void)	71	static void __exit owner_mt_exit(void)
178	{	72	{
179	xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));	73	xt_unregister_match(&owner_mt_reg);
180	}	74	}
181		75
182	module_init(owner_mt_init);	76	module_init(owner_mt_init);
183	module_exit(owner_mt_exit);	77	module_exit(owner_mt_exit);
184	MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");	78	MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
185	MODULE_DESCRIPTION("Xtables: socket owner matching");	79	MODULE_DESCRIPTION("Xtables: socket owner matching");
186	MODULE_LICENSE("GPL");	80	MODULE_LICENSE("GPL");
187	MODULE_ALIAS("ipt_owner");	81	MODULE_ALIAS("ipt_owner");