linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Eric W. Biederman" <ebiederm@xmission.com>
To: <netdev@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>,
	<containers@lists.linux-foundation.org>,
	David Miller <davem@davemloft.net>,
	Serge Hallyn <serge@hallyn.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Patrick McHardy <kaber@trash.net>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	Jamal Hadi Salim <jhs@mojatatu.com>,
	Changli Gao <xiaosuo@gmail.com>
Subject: [PATCH 16/21] userns: Convert cls_flow to work with user namespaces enabled
Date: Mon, 13 Aug 2012 13:18:30 -0700	[thread overview]
Message-ID: <1344889115-21610-16-git-send-email-ebiederm@xmission.com> (raw)
In-Reply-To: <1344889115-21610-1-git-send-email-ebiederm@xmission.com>

From: "Eric W. Biederman" <ebiederm@xmission.com>

The flow classifier can use uids and gids of the sockets that
are transmitting packets and do insert those uids and gids
into the packet classification calcuation.  I don't fully
understand the details but it appears that we can depend
on specific uids and gids when making traffic classification
decisions.

To work with user namespaces enabled map from kuids and kgids
into uids and gids in the initial user namespace giving raw
integer values the code can play with and depend on.

To avoid issues of userspace depending on uids and gids in
packet classifiers installed from other user namespaces
and getting confused deny all packet classifiers that
use uids or gids that are not comming from a netlink socket
in the initial user namespace.

Cc: Patrick McHardy <kaber@trash.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Changli Gao <xiaosuo@gmail.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
---
 init/Kconfig         |    1 -
 net/sched/cls_flow.c |   16 ++++++++++++----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/init/Kconfig b/init/Kconfig
index 2660b31..b44c3a3 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -943,7 +943,6 @@ config UIDGID_CONVERTED
 
 	# Networking
 	depends on NET_9P = n
-	depends on NET_CLS_FLOW = n
 	depends on NETFILTER_XT_MATCH_OWNER = n
 	depends on NETFILTER_XT_MATCH_RECENT = n
 	depends on NETFILTER_XT_TARGET_LOG = n
diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index ae854f3..ce82d0c 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -193,15 +193,19 @@ static u32 flow_get_rtclassid(const struct sk_buff *skb)
 
 static u32 flow_get_skuid(const struct sk_buff *skb)
 {
-	if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
-		return skb->sk->sk_socket->file->f_cred->fsuid;
+	if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file) {
+		kuid_t skuid = skb->sk->sk_socket->file->f_cred->fsuid;
+		return from_kuid(&init_user_ns, skuid);
+	}
 	return 0;
 }
 
 static u32 flow_get_skgid(const struct sk_buff *skb)
 {
-	if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
-		return skb->sk->sk_socket->file->f_cred->fsgid;
+	if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file) {
+		kgid_t skgid = skb->sk->sk_socket->file->f_cred->fsgid;
+		return from_kgid(&init_user_ns, skgid);
+	}
 	return 0;
 }
 
@@ -387,6 +391,10 @@ static int flow_change(struct sk_buff *in_skb,
 
 		if (fls(keymask) - 1 > FLOW_KEY_MAX)
 			return -EOPNOTSUPP;
+
+		if ((keymask & (FLOW_KEY_SKUID|FLOW_KEY_SKGID)) &&
+		    sk_user_ns(NETLINK_CB(in_skb).ssk) != &init_user_ns)
+			return -EOPNOTSUPP;
 	}
 
 	err = tcf_exts_validate(tp, tb, tca[TCA_RATE], &e, &flow_ext_map);
-- 
1.7.5.4


  parent reply	other threads:[~2012-08-13 20:24 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <87ehnav9n5.fsf@xmission.com>
2012-08-13 20:18 ` [PATCH 01/21] userns: Convert net/core/scm.c to use kuids and kgids Eric W. Biederman
2012-08-13 20:18   ` [PATCH 02/21] userns: Convert __dev_set_promiscuity to use kuids in audit logs Eric W. Biederman
2012-08-13 20:18   ` [PATCH 03/21] userns: Convert sock_i_uid to return a kuid_t Eric W. Biederman
2012-08-13 20:18   ` [PATCH 04/21] userns: Allow USER_NS and NET simultaneously in Kconfig Eric W. Biederman
2012-08-13 20:18   ` [PATCH 05/21] userns: Make seq_file's user namespace accessible Eric W. Biederman
2012-08-13 20:18   ` [PATCH 06/21] userns: Print out socket uids in a user namespace aware fashion Eric W. Biederman
2012-08-13 20:26     ` Rémi Denis-Courmont
2012-08-15  4:47       ` Eric W. Biederman
2012-08-15  3:22     ` Vlad Yasevich
2012-08-13 20:18   ` [PATCH 07/21] userns: Use kgids for sysctl_ping_group_range Eric W. Biederman
2012-08-20 18:09     ` Vasiliy Kulikov
2012-08-13 20:18   ` [PATCH 08/21] net ip6 flowlabel: Make owner a union of struct pid * and kuid_t Eric W. Biederman
2012-08-13 20:18   ` [PATCH 09/21] pidns: Export free_pid_ns Eric W. Biederman
2012-08-13 20:18   ` [PATCH 10/21] userns: Convert net/ax25 to use kuid_t where appropriate Eric W. Biederman
2012-08-13 20:18   ` [PATCH 11/21] netlink: Make the sending netlink socket availabe in NETLINK_CB Eric W. Biederman
2012-08-13 20:18   ` [PATCH 12/21] userns: Implement sk_user_ns Eric W. Biederman
2012-08-13 20:18   ` [PATCH 13/21] userns: Teach inet_diag to work with user namespaces Eric W. Biederman
2012-08-14  8:35     ` Pavel Emelyanov
2012-08-13 20:18   ` [PATCH 14/21] userns: nfnetlink_log: Report socket uids in the log sockets user namespace Eric W. Biederman
2012-08-13 20:18   ` [PATCH 15/21] net sched: Pass the skb into change so it can access NETLINK_CB Eric W. Biederman
2012-08-15  8:11     ` Jamal Hadi Salim
2012-08-13 20:18   ` Eric W. Biederman [this message]
2012-08-13 20:18   ` [PATCH 17/21] userns: Convert xt_LOG to print socket kuids and kgids as uids and gids Eric W. Biederman
2012-08-13 20:18   ` [PATCH 18/21] userns xt_recent: Specify the owner/group of ip_list_perms in the initial user namespace Eric W. Biederman
2012-08-13 20:18   ` [PATCH 19/21] userns: xt_owner: Add basic user namespace support Eric W. Biederman
2012-08-13 20:18   ` [PATCH 20/21] userns: Make the airo wireless driver use kuids for proc uids and gids Eric W. Biederman
2012-08-13 20:18   ` [PATCH 21/21] userns: Convert tun/tap to use kuid and kgid where appropriate Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1344889115-21610-16-git-send-email-ebiederm@xmission.com \
    --to=ebiederm@xmission.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=eric.dumazet@gmail.com \
    --cc=jhs@mojatatu.com \
    --cc=kaber@trash.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=xiaosuo@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).