[Devel,RHEL7,COMMIT] ve/netfilter: get UID and GID from container user ns on rule match

Submitted by Konstantin Khorenko on June 20, 2017, 5:14 p.m.

Details

Message ID 201706201714.v5KHEhsK004092@finist_cl7.x64_64.work.ct
State New
Series "netfilter: get UID and GID from container user ns on rule match"
Headers show

Commit Message

Konstantin Khorenko June 20, 2017, 5:14 p.m. 
The commit is pushed to "branch-rh7-3.10.0-514.16.1.vz7.32.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.16.1.vz7.32.10
------>
commit f6adb98156c29d98d49fd20002c1cf1284caaabb
Author: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Date:   Tue Jun 20 21:14:43 2017 +0400

    ve/netfilter: get UID and GID from container user ns on rule match
    
    It's good enough for us. It won't work properly in case of setting rules by
    joining container network namespace without VE cgroup, but it's acceptable,
    because proper fix needs a lot of backporting.
    
    https://jira.sw.ru/browse/PSBM-43609
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
    Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
---
 net/netfilter/xt_owner.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

Patch hide | download patch | download mbox 

diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 942cce1..31dec4a 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -31,14 +31,14 @@  owner_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 		return false;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid = make_kuid(&init_user_ns, info->uid);
+		kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
 		if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
 		    !!(info->invert & XT_OWNER_UID))
 			return false;
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid = make_kgid(&init_user_ns, info->gid);
+		kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
 		if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
 		    !!(info->invert & XT_OWNER_GID))
 			return false;
@@ -61,14 +61,14 @@  owner_mt6_v0(const struct sk_buff *skb, struct xt_action_param *par)
 		return false;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid = make_kuid(&init_user_ns, info->uid);
+		kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
 		if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
 		    !!(info->invert & XT_OWNER_UID))
 			return false;
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid = make_kgid(&init_user_ns, info->gid);
+		kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
 		if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
 		    !!(info->invert & XT_OWNER_GID))
 			return false;
@@ -109,8 +109,8 @@  owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		       (XT_OWNER_UID | XT_OWNER_GID)) == 0;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
-		kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
+		kuid_t uid_min = make_kuid(ve_init_user_ns(), info->uid_min);
+		kuid_t uid_max = make_kuid(ve_init_user_ns(), info->uid_max);
 		if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
 		     uid_lte(filp->f_cred->fsuid, uid_max)) ^
 		    !(info->invert & XT_OWNER_UID))
@@ -118,8 +118,8 @@  owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
-		kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
+		kgid_t gid_min = make_kgid(ve_init_user_ns(), info->gid_min);
+		kgid_t gid_max = make_kgid(ve_init_user_ns(), info->gid_max);
 		if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
 		     gid_lte(filp->f_cred->fsgid, gid_max)) ^
 		    !(info->invert & XT_OWNER_GID))