On Wednesday 2022-04-20 20:54, Topi Miettinen wrote:
>Add socket expressions for checking GID or UID of the originating
>socket. These work also on input side, unlike meta skuid/skgid.
Why exactly is it that meta skuid does not work?
Because of the skb_to_full_sk() call in nft_meta_get_eval_skugid()?
>+ case NFT_SOCKET_GID:
>+ if (sk_fullsock(sk)) {
>+ struct socket *sock;
>+
>+ sock = sk->sk_socket;
>+ if (sock && sock->file)
>+ *dest = from_kgid_munged(sock_net(sk)->user_ns,
>+ sock->file->f_cred->fsgid);
The code is quite the same as nft_meta_get_eval_skugid's, save for the BH
locking and skb_to_full_sk. Perhaps nft_socket.c could still call into a
suitably augmented nft_meta_get_eval_skugid function to share code.
