[Devel] [PATCH RHEL7 COMMIT] ve/netfilter: get UID and GID from container user ns on rule match

Konstantin Khorenko khorenko at virtuozzo.com
Tue Jun 20 20:14:43 MSK 2017 

The commit is pushed to "branch-rh7-3.10.0-514.16.1.vz7.32.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.16.1.vz7.32.10
------>
commit f6adb98156c29d98d49fd20002c1cf1284caaabb
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date:   Tue Jun 20 21:14:43 2017 +0400

    ve/netfilter: get UID and GID from container user ns on rule match
    
    It's good enough for us. It won't work properly in case of setting rules by
    joining container network namespace without VE cgroup, but it's acceptable,
    because proper fix needs a lot of backporting.
    
    https://jira.sw.ru/browse/PSBM-43609
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
    Reviewed-by: Cyrill Gorcunov <gorcunov at openvz.org>
---
 net/netfilter/xt_owner.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 942cce1..31dec4a 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -31,14 +31,14 @@ owner_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 		return false;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid = make_kuid(&init_user_ns, info->uid);
+		kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
 		if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
 		    !!(info->invert & XT_OWNER_UID))
 			return false;
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid = make_kgid(&init_user_ns, info->gid);
+		kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
 		if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
 		    !!(info->invert & XT_OWNER_GID))
 			return false;
@@ -61,14 +61,14 @@ owner_mt6_v0(const struct sk_buff *skb, struct xt_action_param *par)
 		return false;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid = make_kuid(&init_user_ns, info->uid);
+		kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
 		if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
 		    !!(info->invert & XT_OWNER_UID))
 			return false;
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid = make_kgid(&init_user_ns, info->gid);
+		kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
 		if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
 		    !!(info->invert & XT_OWNER_GID))
 			return false;
@@ -109,8 +109,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		       (XT_OWNER_UID | XT_OWNER_GID)) == 0;
 
 	if (info->match & XT_OWNER_UID) {
-		kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
-		kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
+		kuid_t uid_min = make_kuid(ve_init_user_ns(), info->uid_min);
+		kuid_t uid_max = make_kuid(ve_init_user_ns(), info->uid_max);
 		if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
 		     uid_lte(filp->f_cred->fsuid, uid_max)) ^
 		    !(info->invert & XT_OWNER_UID))
@@ -118,8 +118,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	}
 
 	if (info->match & XT_OWNER_GID) {
-		kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
-		kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
+		kgid_t gid_min = make_kgid(ve_init_user_ns(), info->gid_min);
+		kgid_t gid_max = make_kgid(ve_init_user_ns(), info->gid_max);
 		if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
 		     gid_lte(filp->f_cred->fsgid, gid_max)) ^
 		    !(info->invert & XT_OWNER_GID))

More information about the Devel mailing list