lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 May 2019 07:58:25 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Lukasz Pawelczyk <l.pawelczyk@...sung.com>, Pablo Neira Ayuso <pablo@...filter.org>, Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>, Florian Westphal <fw@...len.de>, "David S. Miller" <davem@...emloft.net>, netfilter-devel@...r.kernel.org, coreteam@...filter.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Cc: Lukasz Pawelczyk <havner@...il.com> Subject: Re: [PATCH v2] netfilter: xt_owner: Add supplementary groups option On 5/8/19 10:12 AM, Lukasz Pawelczyk wrote: > The XT_SUPPL_GROUPS flag causes GIDs specified with XT_OWNER_GID to > be also checked in the supplementary groups of a process. > > Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@...sung.com> > --- > include/uapi/linux/netfilter/xt_owner.h | 1 + > net/netfilter/xt_owner.c | 23 ++++++++++++++++++++--- > 2 files changed, 21 insertions(+), 3 deletions(-) > > diff --git a/include/uapi/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h > index fa3ad84957d5..d646f0dc3466 100644 > --- a/include/uapi/linux/netfilter/xt_owner.h > +++ b/include/uapi/linux/netfilter/xt_owner.h > @@ -8,6 +8,7 @@ enum { > XT_OWNER_UID = 1 << 0, > XT_OWNER_GID = 1 << 1, > XT_OWNER_SOCKET = 1 << 2, > + XT_SUPPL_GROUPS = 1 << 3, > }; > > struct xt_owner_match_info { > diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c > index 46686fb73784..283a1fb5cc52 100644 > --- a/net/netfilter/xt_owner.c > +++ b/net/netfilter/xt_owner.c > @@ -91,11 +91,28 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par) > } > > if (info->match & XT_OWNER_GID) { > + unsigned int i, match = false; > kgid_t gid_min = make_kgid(net->user_ns, info->gid_min); > kgid_t gid_max = make_kgid(net->user_ns, info->gid_max); > - if ((gid_gte(filp->f_cred->fsgid, gid_min) && > - gid_lte(filp->f_cred->fsgid, gid_max)) ^ > - !(info->invert & XT_OWNER_GID)) > + struct group_info *gi = filp->f_cred->group_info; > + > + if (gid_gte(filp->f_cred->fsgid, gid_min) && > + gid_lte(filp->f_cred->fsgid, gid_max)) > + match = true; > + > + if (!match && (info->match & XT_SUPPL_GROUPS) && gi) { > + for (i = 0; i < gi->ngroups; ++i) { > + kgid_t group = gi->gid[i]; > + > + if (gid_gte(group, gid_min) && > + gid_lte(group, gid_max)) { > + match = true; > + break; > + } > + } > + } > + > + if (match ^ !(info->invert & XT_OWNER_GID)) > return false; > } > > How can this be safe on SMP ?
Powered by blists - more mailing lists