kernel/net/netfilter/xt_owner.c

   1 /*
   2  * Kernel module to match various things tied to sockets associated with
   3  * locally generated outgoing packets.
   4  *
   5  * (C) 2000 Marc Boucher <marc@mbsi.ca>
   6  *
   7  * Copyright © CC Computer Consultants GmbH, 2007 - 2008
   8  *
   9  * This program is free software; you can redistribute it and/or modify
  10  * it under the terms of the GNU General Public License version 2 as
  11  * published by the Free Software Foundation.
  12  */
  13 #include <linux/module.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/file.h>
  16 #include <net/sock.h>
  17 #include <linux/netfilter/x_tables.h>
  18 #include <linux/netfilter/xt_owner.h>
  19
  20 static int owner_check(const struct xt_mtchk_param *par)
  21 {
  22         struct xt_owner_match_info *info = par->matchinfo;
  23
  24         /* For now only allow adding matches from the initial user namespace */
  25         if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
  26             (current_user_ns() != &init_user_ns))
  27                 return -EINVAL;
  28         return 0;
  29 }
  30
  31 static bool
  32 owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
  33 {
  34         const struct xt_owner_match_info *info = par->matchinfo;
  35         const struct file *filp;
  36
  37         if (skb->sk == NULL || skb->sk->sk_socket == NULL)
  38                 return (info->match ^ info->invert) == 0;
  39         else if (info->match & info->invert & XT_OWNER_SOCKET)
  40                 /*
  41                  * Socket exists but user wanted ! --socket-exists.
  42                  * (Single ampersands intended.)
  43                  */
  44                 return false;
  45
  46         filp = skb->sk->sk_socket->file;
  47         if (filp == NULL)
  48                 return ((info->match ^ info->invert) &
  49                        (XT_OWNER_UID | XT_OWNER_GID)) == 0;
  50
  51         if (info->match & XT_OWNER_UID) {
  52                 kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
  53                 kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
  54                 if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
  55                      uid_lte(filp->f_cred->fsuid, uid_max)) ^
  56                     !(info->invert & XT_OWNER_UID))
  57                         return false;
  58         }
  59
  60         if (info->match & XT_OWNER_GID) {
  61                 kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
  62                 kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
  63                 if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
  64                      gid_lte(filp->f_cred->fsgid, gid_max)) ^
  65                     !(info->invert & XT_OWNER_GID))
  66                         return false;
  67         }
  68
  69         return true;
  70 }
  71
  72 static struct xt_match owner_mt_reg __read_mostly = {
  73         .name       = "owner",
  74         .revision   = 1,
  75         .family     = NFPROTO_UNSPEC,
  76         .checkentry = owner_check,
  77         .match      = owner_mt,
  78         .matchsize  = sizeof(struct xt_owner_match_info),
  79         .hooks      = (1 << NF_INET_LOCAL_OUT) |
  80                       (1 << NF_INET_POST_ROUTING),
  81         .me         = THIS_MODULE,
  82 };
  83
  84 static int __init owner_mt_init(void)
  85 {
  86         return xt_register_match(&owner_mt_reg);
  87 }
  88
  89 static void __exit owner_mt_exit(void)
  90 {
  91         xt_unregister_match(&owner_mt_reg);
  92 }
  93
  94 module_init(owner_mt_init);
  95 module_exit(owner_mt_exit);
  96 MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
  97 MODULE_DESCRIPTION("Xtables: socket owner matching");
  98 MODULE_LICENSE("GPL");
  99 MODULE_ALIAS("ipt_owner");
 100 MODULE_ALIAS("ip6t_owner");