Commit ea6cc2fd authored by Lukasz Pawelczyk's avatar Lukasz Pawelczyk Committed by Pablo Neira Ayuso

netfilter: xt_owner: Add supplementary groups option

The XT_OWNER_SUPPL_GROUPS flag causes GIDs specified with XT_OWNER_GID
to be also checked in the supplementary groups of a process.

f_cred->group_info cannot be modified during its lifetime and f_cred
holds a reference to it so it's safe to use.
Signed-off-by: default avatarLukasz Pawelczyk <l.pawelczyk@samsung.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 508f744c
...@@ -5,9 +5,10 @@ ...@@ -5,9 +5,10 @@
#include <linux/types.h> #include <linux/types.h>
enum { enum {
XT_OWNER_UID = 1 << 0, XT_OWNER_UID = 1 << 0,
XT_OWNER_GID = 1 << 1, XT_OWNER_GID = 1 << 1,
XT_OWNER_SOCKET = 1 << 2, XT_OWNER_SOCKET = 1 << 2,
XT_OWNER_SUPPL_GROUPS = 1 << 3,
}; };
struct xt_owner_match_info { struct xt_owner_match_info {
......
...@@ -91,11 +91,28 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par) ...@@ -91,11 +91,28 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
} }
if (info->match & XT_OWNER_GID) { if (info->match & XT_OWNER_GID) {
unsigned int i, match = false;
kgid_t gid_min = make_kgid(net->user_ns, info->gid_min); kgid_t gid_min = make_kgid(net->user_ns, info->gid_min);
kgid_t gid_max = make_kgid(net->user_ns, info->gid_max); kgid_t gid_max = make_kgid(net->user_ns, info->gid_max);
if ((gid_gte(filp->f_cred->fsgid, gid_min) && struct group_info *gi = filp->f_cred->group_info;
gid_lte(filp->f_cred->fsgid, gid_max)) ^
!(info->invert & XT_OWNER_GID)) if (gid_gte(filp->f_cred->fsgid, gid_min) &&
gid_lte(filp->f_cred->fsgid, gid_max))
match = true;
if (!match && (info->match & XT_OWNER_SUPPL_GROUPS) && gi) {
for (i = 0; i < gi->ngroups; ++i) {
kgid_t group = gi->gid[i];
if (gid_gte(group, gid_min) &&
gid_lte(group, gid_max)) {
match = true;
break;
}
}
}
if (match ^ !(info->invert & XT_OWNER_GID))
return false; return false;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment