Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ba3d8d3f authored by Lorenzo Colitti's avatar Lorenzo Colitti Committed by Ruchi Kandoi
Browse files

net: core: Support UID-based routing. 



This contains the following commits:

1. cc2f522 net: core: Add a UID range to fib rules.
2. d7ed2bd net: core: Use the socket UID in routing lookups.
3. 2f9306a net: core: Add a RTA_UID attribute to routes.
    This is so that userspace can do per-UID route lookups.
4. 8e46efb net: ipv6: Use the UID in IPv6 PMTUD
    IPv4 PMTUD already does this because ipv4_sk_update_pmtu
    uses __build_flow_key, which includes the UID.

Bug: 15413527
Change-Id: I81bd31dae655de9cce7d7a1f9a905dc1c2feba7c
Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
parent d6315124

include/net/fib_rules.h

+6 −0
Original line number Diff line number Diff line
@@ -28,6 +28,8 @@ struct fib_rule { 
	int			suppress_prefixlen;

	char			iifname[IFNAMSIZ];

	char			oifname[IFNAMSIZ];

	kuid_t			uid_start;

	kuid_t			uid_end;

	struct rcu_head		rcu;

};
@@ -86,10 +88,14 @@ struct fib_rules_ops { 
	[FRA_FWMARK]	= { .type = NLA_U32 }, \

	[FRA_FWMASK]	= { .type = NLA_U32 }, \

	[FRA_TABLE]     = { .type = NLA_U32 }, \

	[FRA_GOTO]	= { .type = NLA_U32 }, \

	[FRA_UID_START]	= { .type = NLA_U32 }, \

	[FRA_UID_END]	= { .type = NLA_U32 }, \

	[FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 }, \

	[FRA_SUPPRESS_IFGROUP] = { .type = NLA_U32 }, \

	[FRA_GOTO]	= { .type = NLA_U32 }

	



static inline void fib_rule_get(struct fib_rule *rule)

{

	atomic_inc(&rule->refcnt);

include/net/flow.h

+8 −1
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ 
#include <linux/socket.h>

#include <linux/in6.h>

#include <linux/atomic.h>

#include <linux/uidgid.h>



/*

 * ifindex generation is per-net namespace, and loopback is
@@ -30,6 +31,7 @@ struct flowi_common { 
#define FLOWI_FLAG_ANYSRC		0x01

#define FLOWI_FLAG_KNOWN_NH		0x02

	__u32	flowic_secid;

	kuid_t	flowic_uid;

};



union flowi_uli {
@@ -66,6 +68,7 @@ struct flowi4 { 
#define flowi4_proto		__fl_common.flowic_proto

#define flowi4_flags		__fl_common.flowic_flags

#define flowi4_secid		__fl_common.flowic_secid

#define flowi4_uid		__fl_common.flowic_uid



	/* (saddr,daddr) must be grouped, same order as in IP header */

	__be32			saddr;
@@ -85,7 +88,8 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif, 
				      __u32 mark, __u8 tos, __u8 scope,

				      __u8 proto, __u8 flags,

				      __be32 daddr, __be32 saddr,

				      __be16 dport, __be16 sport)

				      __be16 dport, __be16 sport,

				      kuid_t uid)

{

	fl4->flowi4_oif = oif;

	fl4->flowi4_iif = LOOPBACK_IFINDEX;
@@ -95,6 +99,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif, 
	fl4->flowi4_proto = proto;

	fl4->flowi4_flags = flags;

	fl4->flowi4_secid = 0;

	fl4->flowi4_uid = uid;

	fl4->daddr = daddr;

	fl4->saddr = saddr;

	fl4->fl4_dport = dport;
@@ -122,6 +127,7 @@ struct flowi6 { 
#define flowi6_proto		__fl_common.flowic_proto

#define flowi6_flags		__fl_common.flowic_flags

#define flowi6_secid		__fl_common.flowic_secid

#define flowi6_uid		__fl_common.flowic_uid

	struct in6_addr		daddr;

	struct in6_addr		saddr;

	__be32			flowlabel;
@@ -165,6 +171,7 @@ struct flowi { 
#define flowi_proto	u.__fl_common.flowic_proto

#define flowi_flags	u.__fl_common.flowic_flags

#define flowi_secid	u.__fl_common.flowic_secid

#define flowi_uid	u.__fl_common.flowic_uid

} __attribute__((__aligned__(BITS_PER_LONG/8)));



static inline struct flowi *flowi4_to_flowi(struct flowi4 *fl4)

include/net/ip.h

+1 −0
Original line number Diff line number Diff line
@@ -171,6 +171,7 @@ struct ip_reply_arg { 
				/* -1 if not needed */ 

	int	    bound_dev_if;

	u8  	    tos;

	kuid_t	    uid;

}; 



#define IP_REPLY_ARG_NOSRCCHECK 1

include/net/ip6_route.h

+1 −1
Original line number Diff line number Diff line
@@ -108,7 +108,7 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len, 
		  const struct in6_addr *gwaddr);



void ip6_update_pmtu(struct sk_buff *skb, struct net *net, __be32 mtu, int oif,

		     u32 mark);

		     u32 mark, kuid_t uid);

void ip6_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, __be32 mtu);

void ip6_redirect(struct sk_buff *skb, struct net *net, int oif, u32 mark);

void ip6_redirect_no_header(struct sk_buff *skb, struct net *net, int oif,

include/net/route.h

+3 −2
Original line number Diff line number Diff line
@@ -140,7 +140,7 @@ static inline struct rtable *ip_route_output_ports(struct net *net, struct flowi 
	flowi4_init_output(fl4, oif, sk ? sk->sk_mark : 0, tos,

			   RT_SCOPE_UNIVERSE, proto,

			   sk ? inet_sk_flowi_flags(sk) : 0,

			   daddr, saddr, dport, sport);

			   daddr, saddr, dport, sport, sock_i_uid(sk));

	if (sk)

		security_sk_classify_flow(sk, flowi4_to_flowi(fl4));

	return ip_route_output_flow(net, fl4, sk);
@@ -249,7 +249,8 @@ static inline void ip_route_connect_init(struct flowi4 *fl4, __be32 dst, __be32 
		flow_flags |= FLOWI_FLAG_ANYSRC;



	flowi4_init_output(fl4, oif, sk->sk_mark, tos, RT_SCOPE_UNIVERSE,

			   protocol, flow_flags, dst, src, dport, sport);

			   protocol, flow_flags, dst, src, dport, sport,

			   sock_i_uid(sk));

}



static inline struct rtable *ip_route_connect(struct flowi4 *fl4,