[Devel] netfilter: get UID and GID from container user ns on rule match

Submitted by Stanislav Kinsburskiy on June 6, 2017, 10 a.m.

Details

Message ID 20170606095052.20155.20960.stgit@localhost.localdomain
State New
Series "netfilter: get UID and GID from container user ns on rule match"
Headers show

Commit Message

Stanislav Kinsburskiy June 6, 2017, 10 a.m.
It's good enough for us. It won't work properly in case of setting rules by
joining container network namespace without VE cgroup, but it's acceptable,
because proper fix needs a lot of backporting.

https://jira.sw.ru/browse/PSBM-43609

Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
---
 net/netfilter/xt_owner.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 942cce1..31dec4a 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -31,14 +31,14 @@  owner_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 		return false;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid = make_kuid(&init_user_ns, info->uid);
+		kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
 		if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
 		    !!(info->invert & XT_OWNER_UID))
 			return false;
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid = make_kgid(&init_user_ns, info->gid);
+		kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
 		if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
 		    !!(info->invert & XT_OWNER_GID))
 			return false;
@@ -61,14 +61,14 @@  owner_mt6_v0(const struct sk_buff *skb, struct xt_action_param *par)
 		return false;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid = make_kuid(&init_user_ns, info->uid);
+		kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
 		if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
 		    !!(info->invert & XT_OWNER_UID))
 			return false;
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid = make_kgid(&init_user_ns, info->gid);
+		kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
 		if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
 		    !!(info->invert & XT_OWNER_GID))
 			return false;
@@ -109,8 +109,8 @@  owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		       (XT_OWNER_UID | XT_OWNER_GID)) == 0;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
-		kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
+		kuid_t uid_min = make_kuid(ve_init_user_ns(), info->uid_min);
+		kuid_t uid_max = make_kuid(ve_init_user_ns(), info->uid_max);
 		if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
 		     uid_lte(filp->f_cred->fsuid, uid_max)) ^
 		    !(info->invert & XT_OWNER_UID))
@@ -118,8 +118,8 @@  owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
-		kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
+		kgid_t gid_min = make_kgid(ve_init_user_ns(), info->gid_min);
+		kgid_t gid_max = make_kgid(ve_init_user_ns(), info->gid_max);
 		if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
 		     gid_lte(filp->f_cred->fsgid, gid_max)) ^
 		    !(info->invert & XT_OWNER_GID))

Comments

Cyrill Gorcunov June 6, 2017, 10:23 a.m.
On Tue, Jun 06, 2017 at 02:00:32PM +0400, Stanislav Kinsburskiy wrote:
> It's good enough for us. It won't work properly in case of setting rules by
> joining container network namespace without VE cgroup, but it's acceptable,
> because proper fix needs a lot of backporting.
> 
> https://jira.sw.ru/browse/PSBM-43609
> 
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cyrill Gorcunov June 6, 2017, 10:27 a.m.
On Tue, Jun 06, 2017 at 01:23:55PM +0300, Cyrill Gorcunov wrote:
> On Tue, Jun 06, 2017 at 02:00:32PM +0400, Stanislav Kinsburskiy wrote:
> > It's good enough for us. It won't work properly in case of setting rules by
> > joining container network namespace without VE cgroup, but it's acceptable,
> > because proper fix needs a lot of backporting.
> > 
> > https://jira.sw.ru/browse/PSBM-43609
> > 
> > Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>

This should do a trick on one-level user-ns at least. Should be enough
for now but in longterm perspective we might still need to backport
the complete user-ns rework as in vanilla.

	Cyrill
Stanislav Kinsburskiy June 6, 2017, 10:28 a.m.
06.06.2017 12:27, Cyrill Gorcunov пишет:
> On Tue, Jun 06, 2017 at 01:23:55PM +0300, Cyrill Gorcunov wrote:
>> On Tue, Jun 06, 2017 at 02:00:32PM +0400, Stanislav Kinsburskiy wrote:
>>> It's good enough for us. It won't work properly in case of setting rules by
>>> joining container network namespace without VE cgroup, but it's acceptable,
>>> because proper fix needs a lot of backporting.
>>>
>>> https://jira.sw.ru/browse/PSBM-43609
>>>
>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
> This should do a trick on one-level user-ns at least. Should be enough
> for now but in longterm perspective we might still need to backport
> the complete user-ns rework as in vanilla.

Agreed.