lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 21 Dec 2013 12:38:04 +0100 From: Pablo Neira Ayuso <pablo@...filter.org> To: valentina.giusti@...-carit.de Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, jpa@...gle.com, fw@...nel.de, daniel.wagner@...-carit.de Subject: Re: [PATCH v4 2/2] libnetfilter_queue: add support for UID/GID socket info Hi, On Fri, Dec 20, 2013 at 05:28:54PM +0100, valentina.giusti@...-carit.de wrote: [...] > diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h > index 81a485b..884ab0e 100644 > --- a/include/libnetfilter_queue/linux_nfnetlink_queue.h > +++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h > @@ -50,6 +50,8 @@ enum nfqnl_attr_type { > NFQA_CAP_LEN, /* __u32 length of captured packet */ > NFQA_SKB_INFO, /* __u32 skb meta information */ > > + NFQA_UID, /* __u32 sk uid */ > + NFQA_GID, /* __u32 sk gid */ This update is wrong. See below the reason why. > __NFQA_MAX > }; > #define NFQA_MAX (__NFQA_MAX - 1) > @@ -101,7 +103,8 @@ enum nfqnl_attr_config { > #define NFQA_CFG_F_FAIL_OPEN (1 << 0) > #define NFQA_CFG_F_CONNTRACK (1 << 1) > #define NFQA_CFG_F_GSO (1 << 2) > -#define NFQA_CFG_F_MAX (1 << 3) > +#define NFQA_CFG_F_UID_GID (1 << 3) > +#define NFQA_CFG_F_MAX (1 << 4) > > /* flags for NFQA_SKB_INFO */ > /* packet appears to have wrong checksums, but they are ok */ > diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h > index a2308ae..22f5d45 100644 > --- a/include/linux/netfilter/nfnetlink_queue.h > +++ b/include/linux/netfilter/nfnetlink_queue.h > @@ -46,6 +46,9 @@ enum nfqnl_attr_type { > NFQA_CT_INFO, /* enum ip_conntrack_info */ > NFQA_CAP_LEN, /* __u32 length of captured packet */ > NFQA_SKB_INFO, /* __u32 skb meta information */ > + NFQA_EXP, /* nf_conntrack_netlink.h */ > + NFQA_UID, /* __u32 sk uid */ > + NFQA_GID, /* __u32 sk gid */ You have manually updated libnetfilter_queue/linux_nfnetlink_queue.h, but you forgot to include NFQA_EXP. The result is that your nfq_get_uid() returns the NFQA_EXP attribute and nfq_get_gid() returns the NFQA_UID attribute. You should have noticed it with a simple run of utils/nfqnl_test run and a couple of printf to test it. I'm afraid that you're not giving sufficient testing to your patches. Fix it and resubmit, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists