From: "Maciej Żenczykowski" <zenczykowski@gmail.com>
To: Jan Engelhardt <jengelh@inai.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>,
Linux Network Development Mailing List <netdev@vger.kernel.org>,
Netfilter Development Mailing List
<netfilter-devel@vger.kernel.org>,
Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [PATCH netfilter] netfilter: xt_owner: use sk->sk_uid for owner lookup
Date: Thu, 23 Dec 2021 10:36:38 -0800 [thread overview]
Message-ID: <CANP3RGct11+Cu0z-ksEMcpQGyFp5Ek-99+z6qEFc1FFh0xUt7Q@mail.gmail.com> (raw)
In-Reply-To: <1nrqq669-2r5o-qq5o-207r-p6pnr614s769@vanv.qr>
On Thu, Dec 23, 2021 at 2:35 AM Jan Engelhardt <jengelh@inai.de> wrote:
> On Thursday 2021-12-23 08:06, Maciej Żenczykowski wrote:
>
> >diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
> >index e85ce69924ae..3eebd9c7ea4b 100644
> >--- a/net/netfilter/xt_owner.c
> >+++ b/net/netfilter/xt_owner.c
> >@@ -84,8 +84,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
> > if (info->match & XT_OWNER_UID) {
> > kuid_t uid_min = make_kuid(net->user_ns, info->uid_min);
> > kuid_t uid_max = make_kuid(net->user_ns, info->uid_max);
> >- if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
> >- uid_lte(filp->f_cred->fsuid, uid_max)) ^
> >+ if ((uid_gte(sk->sk_uid, uid_min) &&
> >+ uid_lte(sk->sk_uid, uid_max)) ^
>
> I have a "déjà rencontré" moment about these lines...
>
> filp->f_cred->fsuid should be the EUID which performed the access (after
> peeling away the setfsuid(2) logic...), and sk_uid has a value that the
> original author of ipt_owner did not find useful. I think that was the
> motivation. listen(80) then drop privileges by set(e)uid. sk_uid would be 0,
> and thus not useful.
Ugh! Well, that's certainly interesting to hear...
There's like 6 different uids associated with a socket (sk_uid, inode
uid, f_cred->uid/euid/suid/fsuid)
- and I guess it might also matter whether we're talking about at
socket() [or accept()] creation time, or currently...
it's a mess. [and 5 gids + supplemental groups]
I'm not really certain which of these have which meaning. I don't
really understand the meaning of filp->f_cred.
I guess it's back to the drawing board. The Android DNS resolver uses
fchown() on the dns sockets it creates
to 'impersonate' the clients on whose behalf it's doing dns queries.
This works for bpf, because:
bpf_get_socket_uid(skb) returns (roughly) skb->sk->sk_uid
[and there's simply no bpf helper that deals with gids]
but this of course results in -m owner --uid-owner seeing root while
bpf sees something else.
I wonder if the solution is to add -m owner --sk-uid X (or
--socket-uid) syntax instead... ?!?
I'm not sure if it would be safe (or even desirable) to get fchown()
to modify the existing f_cred->fsuid field...
prev parent reply other threads:[~2021-12-23 18:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-23 7:06 [PATCH netfilter] netfilter: xt_owner: use sk->sk_uid for owner lookup Maciej Żenczykowski
2021-12-23 10:35 ` Jan Engelhardt
2021-12-23 18:36 ` Maciej Żenczykowski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANP3RGct11+Cu0z-ksEMcpQGyFp5Ek-99+z6qEFc1FFh0xUt7Q@mail.gmail.com \
--to=zenczykowski@gmail.com \
--cc=fw@strlen.de \
--cc=jengelh@inai.de \
--cc=lorenzo@google.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).