Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xt_owner.c
Go to the documentation of this file.
1 /*
2  * Kernel module to match various things tied to sockets associated with
3  * locally generated outgoing packets.
4  *
5  * (C) 2000 Marc Boucher <[email protected]>
6  *
7  * Copyright © CC Computer Consultants GmbH, 2007 - 2008
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License version 2 as
11  * published by the Free Software Foundation.
12  */
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
15 #include <linux/file.h>
16 #include <net/sock.h>
17 #include <linux/netfilter/x_tables.h>
18 #include <linux/netfilter/xt_owner.h>
19 
20 static int owner_check(const struct xt_mtchk_param *par)
21 {
22  struct xt_owner_match_info *info = par->matchinfo;
23 
24  /* For now only allow adding matches from the initial user namespace */
25  if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
26  (current_user_ns() != &init_user_ns))
27  return -EINVAL;
28  return 0;
29 }
30 
31 static bool
32 owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
33 {
34  const struct xt_owner_match_info *info = par->matchinfo;
35  const struct file *filp;
36 
37  if (skb->sk == NULL || skb->sk->sk_socket == NULL)
38  return (info->match ^ info->invert) == 0;
39  else if (info->match & info->invert & XT_OWNER_SOCKET)
40  /*
41  * Socket exists but user wanted ! --socket-exists.
42  * (Single ampersands intended.)
43  */
44  return false;
45 
46  filp = skb->sk->sk_socket->file;
47  if (filp == NULL)
48  return ((info->match ^ info->invert) &
49  (XT_OWNER_UID | XT_OWNER_GID)) == 0;
50 
51  if (info->match & XT_OWNER_UID) {
52  kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
53  kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
54  if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
55  uid_lte(filp->f_cred->fsuid, uid_max)) ^
56  !(info->invert & XT_OWNER_UID))
57  return false;
58  }
59 
60  if (info->match & XT_OWNER_GID) {
61  kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
62  kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
63  if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
64  gid_lte(filp->f_cred->fsgid, gid_max)) ^
65  !(info->invert & XT_OWNER_GID))
66  return false;
67  }
68 
69  return true;
70 }
71 
72 static struct xt_match owner_mt_reg __read_mostly = {
73  .name = "owner",
74  .revision = 1,
75  .family = NFPROTO_UNSPEC,
76  .checkentry = owner_check,
77  .match = owner_mt,
78  .matchsize = sizeof(struct xt_owner_match_info),
79  .hooks = (1 << NF_INET_LOCAL_OUT) |
80  (1 << NF_INET_POST_ROUTING),
81  .me = THIS_MODULE,
82 };
83 
84 static int __init owner_mt_init(void)
85 {
86  return xt_register_match(&owner_mt_reg);
87 }
88 
89 static void __exit owner_mt_exit(void)
90 {
91  xt_unregister_match(&owner_mt_reg);
92 }
93 
94 module_init(owner_mt_init);
95 module_exit(owner_mt_exit);
96 MODULE_AUTHOR("Jan Engelhardt <[email protected]>");
97 MODULE_DESCRIPTION("Xtables: socket owner matching");
98 MODULE_LICENSE("GPL");
99 MODULE_ALIAS("ipt_owner");
100 MODULE_ALIAS("ip6t_owner");
Generated on Thu Jan 10 2013 15:00:57 for Linux Kernel by   doxygen 1.8.2