[QUESTION] Packet uid for kernel-generated multicast

[QUESTION] Packet uid for kernel-generated multicast

[Andrew Fenton]

Certain multicast-related system calls such as setsockopt with options
IP_ADD_MEMBERSHIP, IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP result in outgoing
kernel-generated packets that don't have an associated uid.

Not having the packet uid set to the uid of the system caller makes it
difficult to use netfilter to ensure a specific uid can't send any traffic out
a particular interface. It is possible to use network namespaces or system call
filtering, but neither of these options are feasible for us working on top of 
Android Open Source Project.

If we submit a patch that adds a kernel configuration for setting the packet uid
to the uid that made the system call, would this get merged? Or is this not a
viable approach?

Re: [QUESTION] Packet uid for kernel-generated multicast

[Andrew Lunn]

On Tue, Jun 02, 2026 at 02:00:33PM -0400, Andrew Fenton wrote:
> Certain multicast-related system calls such as setsockopt with options
> IP_ADD_MEMBERSHIP, IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP result in outgoing
> kernel-generated packets that don't have an associated uid.

Just to be sure i understand your question. You mean the user ID of
the process joining a multicast group?

I don't actually think it is a 1:1 mapping. Multiple different users
can join the same multicast group. The kernel, i think, just joins the
group once, independent of how many userspace processes joined it. The
kernel will also answer query requests autonomously, and i doubt that
is directly associated to a process, just that some user(s) have
joined the group.

     Andrew