| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Dec 2013 12:18:22 +0100
From: Valentina Giusti <valentina.giusti@...-carit.de>
To: Pablo Neira Ayuso <pablo@...filter.org>
CC: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
fw@...len.de, eric.dumazet@...il.com, tgraf@...hat.com,
jpa@...gle.com, davem@...emloft.net, daniel.wagner@...-carit.de
Subject: Re: [PATCH v2 1/2] netfilter_queue: enable UID/GID socket info retrieval
Hi,
On 12/20/2013 10:29 AM, Pablo Neira Ayuso wrote:
> On Fri, Dec 20, 2013 at 10:26:38AM +0100, Pablo Neira Ayuso wrote:
>> Hi,
>>
>> On Thu, Dec 19, 2013 at 12:03:26PM +0100, valentina.giusti@...-carit.de wrote:
>>> From: Valentina Giusti <valentina.giusti@....bmw-carit.de>
>>>
>>> Thanks to commits 41063e9 (ipv4: Early TCP socket demux) and 421b388 (udp: ipv4:
>>> Add udp early demux) it is now possible to parse UID and GID socket info
>>> also for incoming TCP and UDP connections. Having this info available, it
>>> is convenient to let NFQUEUE parse it in order to improve and refine the
>>> traffic analysis in userspace.
>>>
>>> Signed-off-by: Valentina Giusti <valentina.giusti@...-carit.de>
>>> ---
>>> include/uapi/linux/netfilter/nfnetlink_queue.h | 5 ++++-
>>> net/netfilter/nfnetlink_queue_core.c | 31 ++++++++++++++++++++++++++
>>> 2 files changed, 35 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
>>> index 0132bad..8dd819e 100644
>>> --- a/include/uapi/linux/netfilter/nfnetlink_queue.h
>>> +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
>>> @@ -47,6 +47,8 @@ enum nfqnl_attr_type {
>>> NFQA_CAP_LEN, /* __u32 length of captured packet */
>>> NFQA_SKB_INFO, /* __u32 skb meta information */
>>> NFQA_EXP, /* nf_conntrack_netlink.h */
>>> + NFQA_UID, /* __u32 sk uid */
>>> + NFQA_GID, /* __u32 sk gid */
>>>
>>> __NFQA_MAX
>>> };
>>> @@ -99,7 +101,8 @@ enum nfqnl_attr_config {
>>> #define NFQA_CFG_F_FAIL_OPEN (1 << 0)
>>> #define NFQA_CFG_F_CONNTRACK (1 << 1)
>>> #define NFQA_CFG_F_GSO (1 << 2)
>>> -#define NFQA_CFG_F_MAX (1 << 3)
>>> +#define NFQA_CFG_F_UID_GID (1 << 3)
>>> +#define NFQA_CFG_F_MAX (1 << 4)
>>>
>>> /* flags for NFQA_SKB_INFO */
>>> /* packet appears to have wrong checksums, but they are ok */
>>> diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
>>> index 21258cf..2cdef07 100644
>>> --- a/net/netfilter/nfnetlink_queue_core.c
>>> +++ b/net/netfilter/nfnetlink_queue_core.c
>>> @@ -297,6 +297,29 @@ nfqnl_put_packet_info(struct sk_buff *nlskb, struct sk_buff *packet,
>>> return flags ? nla_put_be32(nlskb, NFQA_SKB_INFO, htonl(flags)) : 0;
>>> }
>>>
>>> +static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
>>> +{
>>> + const struct cred *cred;
>>> +
>>> + if (sk && sk->sk_state != TCP_TIME_WAIT) {
>>> + read_lock_bh(&sk->sk_callback_lock);
>>> + if (sk->sk_socket && sk->sk_socket->file) {
>>> + cred = sk->sk_socket->file->f_cred;
>>> + if (nla_put_u32(skb, NFQA_UID, htonl(cred->fsuid)))
>> I'm hitting this compilation error here:
>>
>> net/netfilter/nfnetlink_queue_core.c: In function ‘nfqnl_put_sk_uidgid’:
>> net/netfilter/nfnetlink_queue_core.c:308:4: error: aggregate value used where an integer was expected
>>
>> It seems that in recent kernels you have to use:
>>
>> from_kuid_munged(&init_user_ns, cred->fsuid);
>>
>> to retrieve the integer that represents the uid.
>>
>> Please,
> sorry, I left this sentence incomplete, I was telling... Please, test
> your patches with current git trees :-). Thanks.
Just to be on the safe side, I am testing my patches against the nf-next
tree, branch master. Is that correct?
Thanks,
Val
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists