[Devel] [PATCH] netfilter: get UID and GID from container user ns on rule match

Stanislav Kinsburskiy skinsbursky at virtuozzo.com
Tue Jun 6 13:00:32 MSK 2017 

It's good enough for us. It won't work properly in case of setting rules by
joining container network namespace without VE cgroup, but it's acceptable,
because proper fix needs a lot of backporting.

https://jira.sw.ru/browse/PSBM-43609

Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
---
 net/netfilter/xt_owner.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 942cce1..31dec4a 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -31,14 +31,14 @@ owner_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 		return false;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid = make_kuid(&init_user_ns, info->uid);
+		kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
 		if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
 		    !!(info->invert & XT_OWNER_UID))
 			return false;
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid = make_kgid(&init_user_ns, info->gid);
+		kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
 		if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
 		    !!(info->invert & XT_OWNER_GID))
 			return false;
@@ -61,14 +61,14 @@ owner_mt6_v0(const struct sk_buff *skb, struct xt_action_param *par)
 		return false;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid = make_kuid(&init_user_ns, info->uid);
+		kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
 		if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
 		    !!(info->invert & XT_OWNER_UID))
 			return false;
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid = make_kgid(&init_user_ns, info->gid);
+		kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
 		if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
 		    !!(info->invert & XT_OWNER_GID))
 			return false;
@@ -109,8 +109,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		       (XT_OWNER_UID | XT_OWNER_GID)) == 0;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
-		kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
+		kuid_t uid_min = make_kuid(ve_init_user_ns(), info->uid_min);
+		kuid_t uid_max = make_kuid(ve_init_user_ns(), info->uid_max);
 		if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
 		     uid_lte(filp->f_cred->fsuid, uid_max)) ^
 		    !(info->invert & XT_OWNER_UID))
@@ -118,8 +118,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
-		kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
+		kgid_t gid_min = make_kgid(ve_init_user_ns(), info->gid_min);
+		kgid_t gid_max = make_kgid(ve_init_user_ns(), info->gid_max);
 		if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
 		     gid_lte(filp->f_cred->fsgid, gid_max)) ^
 		    !(info->invert & XT_OWNER_GID))

More information about the Devel mailing list