On Sunday 2014-05-25 09:39, Eric W. Biederman wrote:
>
>Making this work is a little tricky as it really isn't kosher to
>change the xt_owner_match_info in a check function.
It is ok if you set aside members for kernel internal use, though
that is going to require a new match revision. That may be justified
since it would alleviate repeated calls to make_kuid for each packet.
>@@ -48,9 +75,10 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
> return ((info->match ^ info->invert) &
> (XT_OWNER_UID | XT_OWNER_GID)) == 0;
>
>+ net = sock_net(skb->sk);
> if (info->match & XT_OWNER_UID) {
>- kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
>- kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
>+ kuid_t uid_min = make_kuid(net->user_ns, info->uid_min);
>+ kuid_t uid_max = make_kuid(net->user_ns, info->uid_max);
> if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
> uid_lte(filp->f_cred->fsuid, uid_max)) ^
> !(info->invert & XT_OWNER_UID))
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
