Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a2a8c363 authored by Lorenzo Colitti's avatar Lorenzo Colitti Committed by Ian Maund
Browse files

net: core: Support UID-based routing. 



This contains the following commits:

1. 0149763 net: core: Add a UID range to fib rules.
2. 1650474 net: core: Use the socket UID in routing lookups.
3. 0b16771 net: ipv4: Add the UID to the route cache.
4. ee058f1 net: core: Add a RTA_UID attribute to routes.
    This is so that userspace can do per-UID route lookups.

Bug: 15413527
Change-Id: I1285474c6734614d3bda6f61d88dfe89a4af7892
Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
Git-commit: 0b428749ce5969bc06c73855e360141b4e7126e8
Git-repo: https://android.googlesource.com/kernel/common.git


[imaund@codeaurora.org: Resolved conflicts related to removal
  of oif and mark, as well as refactoring of files.]
Signed-off-by: default avatarIan Maund <imaund@codeaurora.org>
parent dbd2b72e

include/net/fib_rules.h

+5 −1
Original line number Diff line number Diff line
@@ -23,6 +23,8 @@ struct fib_rule { 
	struct fib_rule __rcu	*ctarget;

	char			iifname[IFNAMSIZ];

	char			oifname[IFNAMSIZ];

	uid_t			uid_start;

	uid_t			uid_end;

	struct rcu_head		rcu;

	struct net *		fr_net;

};
@@ -80,7 +82,9 @@ struct fib_rules_ops { 
	[FRA_FWMARK]	= { .type = NLA_U32 }, \

	[FRA_FWMASK]	= { .type = NLA_U32 }, \

	[FRA_TABLE]     = { .type = NLA_U32 }, \

	[FRA_GOTO]	= { .type = NLA_U32 }

	[FRA_GOTO]	= { .type = NLA_U32 }, \

	[FRA_UID_START]	= { .type = NLA_U32 }, \

	[FRA_UID_END]	= { .type = NLA_U32 }



static inline void fib_rule_get(struct fib_rule *rule)

{

include/net/flow.h

+7 −1
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ struct flowi_common { 
#define FLOWI_FLAG_CAN_SLEEP		0x02

#define FLOWI_FLAG_KNOWN_NH		0x04

	__u32	flowic_secid;

	uid_t	flowic_uid;

};



union flowi_uli {
@@ -59,6 +60,7 @@ struct flowi4 { 
#define flowi4_proto		__fl_common.flowic_proto

#define flowi4_flags		__fl_common.flowic_flags

#define flowi4_secid		__fl_common.flowic_secid

#define flowi4_uid		__fl_common.flowic_uid



	/* (saddr,daddr) must be grouped, same order as in IP header */

	__be32			saddr;
@@ -78,7 +80,8 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif, 
				      __u32 mark, __u8 tos, __u8 scope,

				      __u8 proto, __u8 flags,

				      __be32 daddr, __be32 saddr,

				      __be16 dport, __be16 sport)

				      __be16 dport, __be16 sport,

				      uid_t uid)

{

	fl4->flowi4_oif = oif;

	fl4->flowi4_iif = 0;
@@ -88,6 +91,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif, 
	fl4->flowi4_proto = proto;

	fl4->flowi4_flags = flags;

	fl4->flowi4_secid = 0;

	fl4->flowi4_uid = uid;

	fl4->daddr = daddr;

	fl4->saddr = saddr;

	fl4->fl4_dport = dport;
@@ -115,6 +119,7 @@ struct flowi6 { 
#define flowi6_proto		__fl_common.flowic_proto

#define flowi6_flags		__fl_common.flowic_flags

#define flowi6_secid		__fl_common.flowic_secid

#define flowi6_uid		__fl_common.flowic_uid

	struct in6_addr		daddr;

	struct in6_addr		saddr;

	__be32			flowlabel;
@@ -158,6 +163,7 @@ struct flowi { 
#define flowi_proto	u.__fl_common.flowic_proto

#define flowi_flags	u.__fl_common.flowic_flags

#define flowi_secid	u.__fl_common.flowic_secid

#define flowi_uid	u.__fl_common.flowic_uid

} __attribute__((__aligned__(BITS_PER_LONG/8)));



static inline struct flowi *flowi4_to_flowi(struct flowi4 *fl4)

include/net/ip.h

+1 −0
Original line number Diff line number Diff line
@@ -153,6 +153,7 @@ struct ip_reply_arg { 
				/* -1 if not needed */ 

	int	    bound_dev_if;

	u8  	    tos;

	uid_t	    uid;

}; 



#define IP_REPLY_ARG_NOSRCCHECK 1

include/net/route.h

+4 −2
Original line number Diff line number Diff line
@@ -52,6 +52,7 @@ struct rtable { 
	__u8			rt_uses_gateway;



	int			rt_iif;

	uid_t			rt_uid;



	/* Info on neighbour */

	__be32			rt_gateway;
@@ -142,7 +143,7 @@ static inline struct rtable *ip_route_output_ports(struct net *net, struct flowi 
	flowi4_init_output(fl4, oif, sk ? sk->sk_mark : 0, tos,

			   RT_SCOPE_UNIVERSE, proto,

			   sk ? inet_sk_flowi_flags(sk) : 0,

			   daddr, saddr, dport, sport);

			   daddr, saddr, dport, sport, sock_i_uid(sk));

	if (sk)

		security_sk_classify_flow(sk, flowi4_to_flowi(fl4));

	return ip_route_output_flow(net, fl4, sk);
@@ -253,7 +254,8 @@ static inline void ip_route_connect_init(struct flowi4 *fl4, __be32 dst, __be32 
		flow_flags |= FLOWI_FLAG_CAN_SLEEP;



	flowi4_init_output(fl4, oif, sk->sk_mark, tos, RT_SCOPE_UNIVERSE,

			   protocol, flow_flags, dst, src, dport, sport);

			   protocol, flow_flags, dst, src, dport, sport,

			   sock_i_uid(sk));

}



static inline struct rtable *ip_route_connect(struct flowi4 *fl4,

include/uapi/linux/fib_rules.h

+2 −0
Original line number Diff line number Diff line
@@ -49,6 +49,8 @@ enum { 
	FRA_TABLE,	/* Extended table id */

	FRA_FWMASK,	/* mask for netfilter mark */

	FRA_OIFNAME,

	FRA_UID_START,	/* UID range */

	FRA_UID_END,

	__FRA_MAX

};