[PATCH] netfilter: nft_socket: socket expressions for GID & UID

Topi Miettinen <toiwoton@xxxxxxxxx> · Wed, 20 Apr 2022 21:54:47 +0300

Add socket expressions for checking GID or UID of the originating
socket. These work also on input side, unlike meta skuid/skgid.

Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
---
 include/uapi/linux/netfilter/nf_tables.h |  4 ++++
 net/netfilter/nft_socket.c               | 28 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 466fd3f4447c..b3c09c67d13a 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1040,12 +1040,16 @@ enum nft_socket_attributes {
  * @NFT_SOCKET_MARK: Value of the socket mark
  * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
  * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2
+ * @NFT_SOCKET_GID: Match on GID of socket owner
+ * @NFT_SOCKET_GID: Match on UID of socket owner
  */
 enum nft_socket_keys {
 	NFT_SOCKET_TRANSPARENT,
 	NFT_SOCKET_MARK,
 	NFT_SOCKET_WILDCARD,
 	NFT_SOCKET_CGROUPV2,
+	NFT_SOCKET_GID,
+	NFT_SOCKET_UID,
 	__NFT_SOCKET_MAX
 };
 #define NFT_SOCKET_MAX	(__NFT_SOCKET_MAX - 1)
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index b8f011145765..2f0fe9d886f3 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -113,6 +113,32 @@ static void nft_socket_eval(const struct nft_expr *expr,
 		}
 		break;
 #endif
+	case NFT_SOCKET_GID:
+		if (sk_fullsock(sk)) {
+			struct socket *sock;
+
+			sock = sk->sk_socket;
+			if (sock && sock->file)
+				*dest = from_kgid_munged(sock_net(sk)->user_ns,
+							 sock->file->f_cred->fsgid);
+		} else {
+			regs->verdict.code = NFT_BREAK;
+			return;
+		}
+		break;
+	case NFT_SOCKET_UID:
+		if (sk_fullsock(sk)) {
+			struct socket *sock;
+
+			sock = sk->sk_socket;
+			if (sock && sock->file)
+				*dest = from_kuid_munged(sock_net(sk)->user_ns,
+							 sock->file->f_cred->fsuid);
+		} else {
+			regs->verdict.code = NFT_BREAK;
+			return;
+		}
+		break;
 	default:
 		WARN_ON(1);
 		regs->verdict.code = NFT_BREAK;
@@ -156,6 +182,8 @@ static int nft_socket_init(const struct nft_ctx *ctx,
 		len = sizeof(u8);
 		break;
 	case NFT_SOCKET_MARK:
+	case NFT_SOCKET_GID:
+	case NFT_SOCKET_UID:
 		len = sizeof(u32);
 		break;
 #ifdef CONFIG_CGROUPS
-- 
2.35.1







