Commit ea6cc2fd authored by Lukasz Pawelczyk's avatar Lukasz Pawelczyk Committed by Pablo Neira Ayuso
Browse files

netfilter: xt_owner: Add supplementary groups option 



The XT_OWNER_SUPPL_GROUPS flag causes GIDs specified with XT_OWNER_GID
to be also checked in the supplementary groups of a process.

f_cred->group_info cannot be modified during its lifetime and f_cred
holds a reference to it so it's safe to use.

Signed-off-by: default avatarLukasz Pawelczyk <l.pawelczyk@samsung.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 508f744c

include/uapi/linux/netfilter/xt_owner.h

+4 −3
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ enum { 
	XT_OWNER_UID          = 1 << 0,

	XT_OWNER_GID          = 1 << 1,

	XT_OWNER_SOCKET       = 1 << 2,

	XT_OWNER_SUPPL_GROUPS = 1 << 3,

};



struct xt_owner_match_info {

net/netfilter/xt_owner.c

+20 −3
Original line number Diff line number Diff line
@@ -91,11 +91,28 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par) 
	}



	if (info->match & XT_OWNER_GID) {

		unsigned int i, match = false;

		kgid_t gid_min = make_kgid(net->user_ns, info->gid_min);

		kgid_t gid_max = make_kgid(net->user_ns, info->gid_max);

		if ((gid_gte(filp->f_cred->fsgid, gid_min) &&

		     gid_lte(filp->f_cred->fsgid, gid_max)) ^

		    !(info->invert & XT_OWNER_GID))

		struct group_info *gi = filp->f_cred->group_info;



		if (gid_gte(filp->f_cred->fsgid, gid_min) &&

		    gid_lte(filp->f_cred->fsgid, gid_max))

			match = true;



		if (!match && (info->match & XT_OWNER_SUPPL_GROUPS) && gi) {

			for (i = 0; i < gi->ngroups; ++i) {

				kgid_t group = gi->gid[i];



				if (gid_gte(group, gid_min) &&

				    gid_lte(group, gid_max)) {

					match = true;

					break;

				}

			}

		}



		if (match ^ !(info->invert & XT_OWNER_GID))

			return false;

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE