Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e2d118a1 authored by Lorenzo Colitti's avatar Lorenzo Colitti Committed by David S. Miller
Browse files

net: inet: Support UID-based routing in IP protocols. 

- Use the UID in routing lookups made by protocol connect() and
  sendmsg() functions.
- Make sure that routing lookups triggered by incoming packets
  (e.g., Path MTU discovery) take the UID of the socket into
  account.
- For packets not associated with a userspace socket, (e.g., ping
  replies) use UID 0 inside the user namespace corresponding to
  the network namespace the socket belongs to. This allows
  all namespaces to apply routing and iptables rules to
  kernel-originated traffic in that namespaces by matching UID 0.
  This is better than using the UID of the kernel socket that is
  sending the traffic, because the UID of kernel sockets created
  at namespace creation time (e.g., the per-processor ICMP and
  TCP sockets) is the UID of the user that created the socket,
  which might not be mapped in the namespace.

Tested: compiles allnoconfig, allyesconfig, allmodconfig
Tested: https://android-review.googlesource.com/253302


Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 622ec2c9

include/net/flow.h

+3 −1
Original line number Diff line number Diff line
@@ -96,7 +96,8 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif, 
				      __u32 mark, __u8 tos, __u8 scope,

				      __u8 proto, __u8 flags,

				      __be32 daddr, __be32 saddr,

				      __be16 dport, __be16 sport)

				      __be16 dport, __be16 sport,

				      kuid_t uid)

{

	fl4->flowi4_oif = oif;

	fl4->flowi4_iif = LOOPBACK_IFINDEX;
@@ -107,6 +108,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif, 
	fl4->flowi4_flags = flags;

	fl4->flowi4_secid = 0;

	fl4->flowi4_tun_key.tun_id = 0;

	fl4->flowi4_uid = uid;

	fl4->daddr = daddr;

	fl4->saddr = saddr;

	fl4->fl4_dport = dport;

include/net/ip.h

+1 −0
Original line number Diff line number Diff line
@@ -179,6 +179,7 @@ struct ip_reply_arg { 
				/* -1 if not needed */ 

	int	    bound_dev_if;

	u8  	    tos;

	kuid_t	    uid;

}; 



#define IP_REPLY_ARG_NOSRCCHECK 1

include/net/ip6_route.h

+3 −2
Original line number Diff line number Diff line
@@ -140,9 +140,10 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len, 
		  const struct in6_addr *gwaddr);



void ip6_update_pmtu(struct sk_buff *skb, struct net *net, __be32 mtu, int oif,

		     u32 mark);

		     u32 mark, kuid_t uid);

void ip6_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, __be32 mtu);

void ip6_redirect(struct sk_buff *skb, struct net *net, int oif, u32 mark);

void ip6_redirect(struct sk_buff *skb, struct net *net, int oif, u32 mark,

		  kuid_t uid);

void ip6_redirect_no_header(struct sk_buff *skb, struct net *net, int oif,

			    u32 mark);

void ip6_sk_redirect(struct sk_buff *skb, struct sock *sk);

include/net/route.h

+3 −2
Original line number Diff line number Diff line
@@ -153,7 +153,7 @@ static inline struct rtable *ip_route_output_ports(struct net *net, struct flowi 
	flowi4_init_output(fl4, oif, sk ? sk->sk_mark : 0, tos,

			   RT_SCOPE_UNIVERSE, proto,

			   sk ? inet_sk_flowi_flags(sk) : 0,

			   daddr, saddr, dport, sport);

			   daddr, saddr, dport, sport, sock_net_uid(net, sk));

	if (sk)

		security_sk_classify_flow(sk, flowi4_to_flowi(fl4));

	return ip_route_output_flow(net, fl4, sk);
@@ -269,7 +269,8 @@ static inline void ip_route_connect_init(struct flowi4 *fl4, __be32 dst, __be32 
		flow_flags |= FLOWI_FLAG_ANYSRC;



	flowi4_init_output(fl4, oif, sk->sk_mark, tos, RT_SCOPE_UNIVERSE,

			   protocol, flow_flags, dst, src, dport, sport);

			   protocol, flow_flags, dst, src, dport, sport,

			   sk->sk_uid);

}



static inline struct rtable *ip_route_connect(struct flowi4 *fl4,

net/ipv4/icmp.c

+2 −0
Original line number Diff line number Diff line
@@ -425,6 +425,7 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) 
	fl4.daddr = daddr;

	fl4.saddr = saddr;

	fl4.flowi4_mark = mark;

	fl4.flowi4_uid = sock_net_uid(net, NULL);

	fl4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);

	fl4.flowi4_proto = IPPROTO_ICMP;

	fl4.flowi4_oif = l3mdev_master_ifindex(skb->dev);
@@ -473,6 +474,7 @@ static struct rtable *icmp_route_lookup(struct net *net, 
		      param->replyopts.opt.opt.faddr : iph->saddr);

	fl4->saddr = saddr;

	fl4->flowi4_mark = mark;

	fl4->flowi4_uid = sock_net_uid(net, NULL);

	fl4->flowi4_tos = RT_TOS(tos);

	fl4->flowi4_proto = IPPROTO_ICMP;

	fl4->fl4_icmp_type = type;