On Tue, Jun 14, 2016 at 03:14:12PM -0700, Kevin Cernekee wrote: > From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > > Making this work is a little tricky as it really isn't kosher to > change the xt_owner_match_info in a check function. > > Without changing xt_owner_match_info we need to know the user > namespace the uids and gids are specified in. In the common case > net->user_ns == current_user_ns(). Verify net->user_ns == > current_user_ns() in owner_check so we can later assume it in > owner_mt. > > In owner_check also verify that all of the uids and gids specified are > in net->user_ns and that the expected min/max relationship exists > between the uids and gids in xt_owner_match_info. > > In owner_mt get the network namespace from the outgoing socket, as this > must be the same network namespace as the netfilter rules, and use that > network namespace to find the user namespace the uids and gids in > xt_match_owner_info are encoded in. Then convert from their encoded > from into the kernel internal format for uids and gids and perform the > owner match. > > Similar to ping_group_range, this code does not try to detect > noncontiguous UID/GID ranges. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
