[PATCH] socket gid and socket uid

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] socket gid and socket uid
@ 2022-04-20 18:55 Topi Miettinen
  0 siblings, 0 replies; only message in thread
From: Topi Miettinen @ 2022-04-20 18:55 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Topi Miettinen

Add socket expressions for checking GID or UID of the originating
socket. These work also on input side, unlike meta skuid/skgid.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 doc/primary-expression.txt          |  8 +++++++-
 include/linux/netfilter/nf_tables.h |  4 ++++
 src/parser_bison.y                  |  4 ++++
 src/parser_json.c                   |  4 ++++
 src/scanner.l                       |  2 ++
 src/socket.c                        | 12 ++++++++++++
 6 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index f97778b9..70991208 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -195,7 +195,7 @@ raw prerouting meta ipsec exists accept
 SOCKET EXPRESSION
 ~~~~~~~~~~~~~~~~~
 [verse]
-*socket* {*transparent* | *mark* | *wildcard*}
+*socket* {*transparent* | *mark* | *wildcard* | *gid* | *uid* }
 *socket* *cgroupv2* *level* 'NUM'
 
 Socket expression can be used to search for an existing open TCP/UDP socket and
@@ -219,6 +219,12 @@ boolean (1 bit)
 |cgroupv2|
 cgroup version 2 for this socket (path from /sys/fs/cgroup)|
 cgroupv2
+|gid|
+GID associated with originating socket|
+gid
+|uid|
+UID associated with originating socket|
+uid
 |==================
 
 .Using socket expression
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 75df968d..ba0415e5 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1029,12 +1029,16 @@ enum nft_socket_attributes {
  * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
  * @NFT_SOCKET_MARK: Value of the socket mark
  * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
+ * @NFT_SOCKET_GID: Match on GID of socket owner
+ * @NFT_SOCKET_GID: Match on UID of socket owner
  */
 enum nft_socket_keys {
 	NFT_SOCKET_TRANSPARENT,
 	NFT_SOCKET_MARK,
 	NFT_SOCKET_WILDCARD,
 	NFT_SOCKET_CGROUPV2,
+	NFT_SOCKET_GID,
+	NFT_SOCKET_UID,
 	__NFT_SOCKET_MAX
 };
 #define NFT_SOCKET_MAX	(__NFT_SOCKET_MAX - 1)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ca5c488c..7ad5d8dc 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -232,6 +232,8 @@ int nft_lex(void *, void *, void *);
 %token TRANSPARENT		"transparent"
 %token WILDCARD			"wildcard"
 %token CGROUPV2			"cgroupv2"
+%token GID			"gid"
+%token UID			"uid"
 
 %token TPROXY			"tproxy"
 
@@ -5046,6 +5048,8 @@ socket_expr		:	SOCKET	socket_key	close_scope_socket
 socket_key 		: 	TRANSPARENT	{ $$ = NFT_SOCKET_TRANSPARENT; }
 			|	MARK		{ $$ = NFT_SOCKET_MARK; }
 			|	WILDCARD	{ $$ = NFT_SOCKET_WILDCARD; }
+			|	GID		{ $$ = NFT_SOCKET_GID; }
+			|	UID		{ $$ = NFT_SOCKET_UID; }
 			;
 
 offset_opt		:	/* empty */	{ $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index fb401009..a69d695a 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -421,6 +421,10 @@ static struct expr *json_parse_socket_expr(struct json_ctx *ctx,
 		keyval = NFT_SOCKET_MARK;
 	else if (!strcmp(key, "wildcard"))
 		keyval = NFT_SOCKET_WILDCARD;
+	else if (!strcmp(key, "gid"))
+		keyval = NFT_SOCKET_GID;
+	else if (!strcmp(key, "uid"))
+		keyval = NFT_SOCKET_UID;
 
 	if (keyval == -1) {
 		json_error(ctx, "Invalid socket key value.");
diff --git a/src/scanner.l b/src/scanner.l
index 2154281e..bd2841af 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -330,6 +330,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 	"wildcard"		{ return WILDCARD; }
 	"cgroupv2"		{ return CGROUPV2; }
 	"level"			{ return LEVEL; }
+	"gid"			{ return GID; }
+	"uid"			{ return UID; }
 }
 "tproxy"		{ scanner_push_start_cond(yyscanner, SCANSTATE_STMT_TPROXY); return TPROXY; }
 
diff --git a/src/socket.c b/src/socket.c
index eb075153..7cfdd066 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -38,6 +38,18 @@ const struct socket_template socket_templates[] = {
 		.len		= 8 * BITS_PER_BYTE,
 		.byteorder	= BYTEORDER_HOST_ENDIAN,
 	},
+	[NFT_SOCKET_GID] = {
+		.token		= "gid",
+		.dtype		= &gid_type,
+		.len		= 4 * BITS_PER_BYTE,
+		.byteorder	= BYTEORDER_HOST_ENDIAN,
+	},
+	[NFT_SOCKET_UID] = {
+		.token		= "uid",
+		.dtype		= &uid_type,
+		.len		= 4 * BITS_PER_BYTE,
+		.byteorder	= BYTEORDER_HOST_ENDIAN,
+	},
 };
 
 static void socket_expr_print(const struct expr *expr, struct output_ctx *octx)

base-commit: d1289bff58e1878c3162f574c603da993e29b113
-- 
2.35.1


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2022-04-20 18:55 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-04-20 18:55 [PATCH] socket gid and socket uid Topi Miettinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).