Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c0366635 authored by Maciej Żenczykowski's avatar Maciej Żenczykowski Committed by Hridaya Prajapati
Browse files

ANDROID: revert all xt_qtaguid stuff 



Revert "ANDROID: xt_qtaguid: fix UAF race"
This reverts commit 5efc888d.

Revert "ANDROID: xt_qtaguid: Remove tag_entry from process list on untag"
This reverts commit 5a7c121b2903285f0f97c3352e560274116ab984.

Revert "ANDROID: xt_qtaguid: Remove unnecessary null checks to device's name"
This reverts commit 441e17f7.

Revert "ANDROID: qtaguid: Fix the UAF probelm with tag_ref_tree"
This reverts commit b4d74821.

Revert "ANDROID: netfilter: xt_qtaguid: Fix 4.14 compilation"
This reverts commit 2f6e1d62.

Revert "ANDROID: netfilter: xt_qtaguid: Use sk_uid to replace uid get from socket file"
This reverts commit 10937966.

Revert "ANDROID: netfilter: xt_qtaguid: fix handling for cases where tunnels are used."
This reverts commit 972ca00d.

Revert "ANDROID: netfilter: xt_qtaguid: handle properly request sockets"
This reverts commit 5824b89f.

Revert "ANDROID: netfilter: xt_qtaguid: Add untag hacks to inet_release function"
This reverts commit f2ad6ade.

Revert "ANDROID: netfilter: xt_qtaguid: don't check if embedded arrays are NULL"
This reverts commit 65a7a5ee.

Revert "ANDROID: netfilter: xt_qtaguid: fix the deadlock when enable DDEBUG"
This reverts commit 8ccc999c.

Revert "ANDROID: netfilter: xt_qtaguid: Don't show empty tag stats for unprivileged uids"
This reverts commit 6cdbac6f.

Revert "ANDROID: netfilter: xt_qtaguid: Fix panic caused by processing non-full socket."
This reverts commit f20252d7.

Revert "ANDROID: netfilter: xt_qtaguid: Fix panic caused by synack processing"
This reverts commit af798507.

Revert "ANDROID: netfilter: xt_qtaguid: fix a race condition in if_tag_stat_update"
This reverts commit ca58d224.

Revert "ANDROID: netfilter: xt_qtaguid: xt_socket: build fixes"
This reverts commit 5dfb5c0e.

Revert "ANDROID: netfilter: xt_qtaguid: Use sk_callback_lock read locks before reading sk->sk_socket"
This reverts commit 06ac276e.

Revert "ANDROID: netfilter: xt_qtaguid/xt_socket: Build fixups"
This reverts commit 9b19736f.

Revert "ANDROID: netfilter: xt_qtaguid: Fix boot panic"
This reverts commit 6fc67945.

Revert "ANDROID: netfilter: xt_qtaguid: fix bad tcp_time_wait sock handling"
This reverts commit a89db3e4.

Revert "ANDROID: netfilter: xt_qtaguid: 3.10 fixes"
This reverts commit 1474b38f.

Revert "ANDROID: netfilter: xt_qtaguid: rate limit some of the printks"
This reverts commit bc1e31b8.

Revert "ANDROID: netfilter: xt_qtaguid: Allow tracking loopback"
This reverts commit 11a32dfd.

Revert "ANDROID: netfilter: xt_qtaguid: extend iface stat to report protocols"
This reverts commit 2170698b.

Revert "ANDROID: netfilter: xt_qtaguid: remove AID_* dependency for access control"
This reverts commit 5fecf3b1.

Revert "ANDROID: netfilter: xt_qtaguid: Don't BUG_ON if create_if_tag_stat fails"
This reverts commit 61a97f20.

Revert "ANDROID: netfilter: xt_qtaguid: fix error exit that would keep a spinlock."
This reverts commit 260b6645.

Revert "ANDROID: netfilter: xt_qtaguid: report only uid tags to non-privileged processes"
This reverts commit 22ecb1cb.

Revert "ANDROID: netfilter: xt_qtaguid: start tracking iface rx/tx at low level"
This reverts commit a2d25419.

Revert "ANDROID: netfilter: xt_qtaguid: fix ipv6 protocol lookup"
This reverts commit 588f1e1d.

Revert "ANDROID: netfilter: xt_qtaguid: add qtaguid matching module"
This reverts commit 00f57e8b.

Based on:
  athina:/git/AND-B5R3 ((0a5c1622fe85...))$ git log --oneline --no-merges remotes/android/kernel/common/android-4.19-q..HEAD | egrep qtaguid
  441e17f7 ANDROID: xt_qtaguid: Remove unnecessary null checks to device's name
  b4d74821 ANDROID: qtaguid: Fix the UAF probelm with tag_ref_tree
  2f6e1d62 ANDROID: netfilter: xt_qtaguid: Fix 4.14 compilation
  10937966 ANDROID: netfilter: xt_qtaguid: Use sk_uid to replace uid get from socket file
  972ca00d ANDROID: netfilter: xt_qtaguid: fix handling for cases where tunnels are used.
  5824b89f ANDROID: netfilter: xt_qtaguid: handle properly request sockets
  f2ad6ade ANDROID: netfilter: xt_qtaguid: Add untag hacks to inet_release function
  65a7a5ee ANDROID: netfilter: xt_qtaguid: don't check if embedded arrays are NULL
  8ccc999c ANDROID: netfilter: xt_qtaguid: fix the deadlock when enable DDEBUG
  6cdbac6f ANDROID: netfilter: xt_qtaguid: Don't show empty tag stats for unprivileged uids
  f20252d7 ANDROID: netfilter: xt_qtaguid: Fix panic caused by processing non-full socket.
  af798507 ANDROID: netfilter: xt_qtaguid: Fix panic caused by synack processing
  ca58d224 ANDROID: netfilter: xt_qtaguid: fix a race condition in if_tag_stat_update
  5dfb5c0e ANDROID: netfilter: xt_qtaguid: xt_socket: build fixes
  06ac276e ANDROID: netfilter: xt_qtaguid: Use sk_callback_lock read locks before reading sk->sk_socket
  9b19736f ANDROID: netfilter: xt_qtaguid/xt_socket: Build fixups
  6fc67945 ANDROID: netfilter: xt_qtaguid: Fix boot panic
  a89db3e4 ANDROID: netfilter: xt_qtaguid: fix bad tcp_time_wait sock handling
  1474b38f ANDROID: netfilter: xt_qtaguid: 3.10 fixes
  bc1e31b8 ANDROID: netfilter: xt_qtaguid: rate limit some of the printks
  11a32dfd ANDROID: netfilter: xt_qtaguid: Allow tracking loopback
  2170698b ANDROID: netfilter: xt_qtaguid: extend iface stat to report protocols
  5fecf3b1 ANDROID: netfilter: xt_qtaguid: remove AID_* dependency for access control
  61a97f20 ANDROID: netfilter: xt_qtaguid: Don't BUG_ON if create_if_tag_stat fails
  260b6645 ANDROID: netfilter: xt_qtaguid: fix error exit that would keep a spinlock.
  22ecb1cb ANDROID: netfilter: xt_qtaguid: report only uid tags to non-privileged processes
  a2d25419 ANDROID: netfilter: xt_qtaguid: start tracking iface rx/tx at low level
  588f1e1d ANDROID: netfilter: xt_qtaguid: fix ipv6 protocol lookup
  00f57e8b ANDROID: netfilter: xt_qtaguid: add qtaguid matching module

Generated via:
  git log --oneline --no-merges remotes/android/kernel/common/android-4.19-q..HEAD \
  | egrep qtaguid | while read a b; do git revert $a; done
and squashing the result.

Test:
  $ git grep -i qtaguid
  arch/arm/configs/ranchu_defconfig:108:CONFIG_NETFILTER_XT_MATCH_QTAGUID=y
  arch/arm64/configs/ranchu64_defconfig:110:CONFIG_NETFILTER_XT_MATCH_QTAGUID=y
  arch/x86/configs/i386_ranchu_defconfig:142:CONFIG_NETFILTER_XT_MATCH_QTAGUID=y
  arch/x86/configs/x86_64_ranchu_defconfig:140:CONFIG_NETFILTER_XT_MATCH_QTAGUID=y

Bug: 138428914
Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
Change-Id: Ida83e0ba51c5debbc509f99b35d6013be01ddedf
parent a2f94eff

include/linux/android_aid.h

+0 −2
Original line number Diff line number Diff line
@@ -22,7 +22,5 @@ 
#define AID_INET         KGIDT_INIT(3003)

#define AID_NET_RAW      KGIDT_INIT(3004)

#define AID_NET_ADMIN    KGIDT_INIT(3005)

#define AID_NET_BW_STATS KGIDT_INIT(3006)  /* read bandwidth statistics */

#define AID_NET_BW_ACCT  KGIDT_INIT(3007)  /* change bandwidth statistics accounting */



#endif

include/linux/netfilter/xt_qtaguid.h

deleted100644 → 0
+0 −14
Original line number Diff line number Diff line 
#ifndef _XT_QTAGUID_MATCH_H

#define _XT_QTAGUID_MATCH_H



/* For now we just replace the xt_owner.

 * FIXME: make iptables aware of qtaguid. */

#include <linux/netfilter/xt_owner.h>



#define XT_QTAGUID_UID    XT_OWNER_UID

#define XT_QTAGUID_GID    XT_OWNER_GID

#define XT_QTAGUID_SOCKET XT_OWNER_SOCKET

#define xt_qtaguid_match_info xt_owner_match_info



int qtaguid_untag(struct socket *sock, bool kernel);

#endif /* _XT_QTAGUID_MATCH_H */

net/ipv4/af_inet.c

+0 −4
Original line number Diff line number Diff line
@@ -89,7 +89,6 @@ 
#include <linux/netfilter_ipv4.h>

#include <linux/random.h>

#include <linux/slab.h>

#include <linux/netfilter/xt_qtaguid.h>



#include <linux/uaccess.h>
@@ -429,9 +428,6 @@ int inet_release(struct socket *sock) 
	if (sk) {

		long timeout;



#ifdef CONFIG_NETFILTER_XT_MATCH_QTAGUID

		qtaguid_untag(sock, true);

#endif

		/* Applications forget to leave groups before exiting */

		ip_mc_drop_socket(sk);

net/netfilter/Kconfig

+0 −18
Original line number Diff line number Diff line
@@ -1431,8 +1431,6 @@ config NETFILTER_XT_MATCH_OWNER 
	based on who created the socket: the user or group. It is also

	possible to check whether a socket actually exists.



	Conflicts with '"quota, tag, uid" match'



config NETFILTER_XT_MATCH_POLICY

	tristate 'IPsec "policy" match support'

	depends on XFRM
@@ -1466,22 +1464,6 @@ config NETFILTER_XT_MATCH_PKTTYPE 


	  To compile it as a module, choose M here.  If unsure, say N.



config NETFILTER_XT_MATCH_QTAGUID

	bool '"quota, tag, owner" match and stats support'

        depends on NETFILTER_XT_MATCH_SOCKET

	depends on NETFILTER_XT_MATCH_OWNER=n

	help

	  This option replaces the `owner' match. In addition to matching

	  on uid, it keeps stats based on a tag assigned to a socket.

	  The full tag is comprised of a UID and an accounting tag.

	  The tags are assignable to sockets from user space (e.g. a download

	  manager can assign the socket to another UID for accounting).

	  Stats and control are done via /proc/net/xt_qtaguid/.

	  It replaces owner as it takes the same arguments, but should

	  really be recognized by the iptables tool.



	  If unsure, say `N'.



config NETFILTER_XT_MATCH_QUOTA

	tristate '"quota" match support'

	depends on NETFILTER_ADVANCED

net/netfilter/Makefile

+0 −1
Original line number Diff line number Diff line
@@ -191,7 +191,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CGROUP) += xt_cgroup.o 
obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o

obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o

obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o

obj-$(CONFIG_NETFILTER_XT_MATCH_QTAGUID) += xt_qtaguid_print.o xt_qtaguid.o

obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o

obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA2) += xt_quota2.o

obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST) += xt_rateest.o