Re: [Vserver] ipt_owner patch fo vserver

Gregory (Grisha) Trubetskoy Thu, 05 Aug 2004 10:28:15 -0700


Any chance that this will get rolled in to 1.29?

This could be very useful when you have a back-end network that you do not vservers to have access to...

Grisha


On Fri, 30 Jul 2004, Herbert Poetzl wrote:

On Fri, Jul 30, 2004 at 04:28:02PM +0200, Pavel Semerad wrote:


Hello,
I am long time using patch for vserver (now 1.2.28), which
adds to ipt_owner possibility to match vx_id of socket owner. I am using it
to restrict where services in security contexts can connect to (so when
somebody breaks into service, he cannot connect to other computer).
It can be usefull also for others, so sending it.

Usage:
iptables -m owner --ctx-owner 0 ...


interesting ... are you the author of this patch?

why not join the irc channel (#vserver @ irc.oftc.net)
and chat a little about the future implementations
(ngn) and how this could/should be integrated ...

thanks,
Herbert

Pavel Semerad

Patch to 2.4.26 kernel with 1.2.28 vserver:

--- ./net/ipv4/netfilter/ipt_owner.c.vs-iptables        2004-07-29 15:06:37.000000000 
+0200
+++ ./net/ipv4/netfilter/ipt_owner.c    2004-07-30 15:27:10.000000000 +0200
@@ -152,8 +152,14 @@ match(const struct sk_buff *skb,
                }
        }

-       if (!sk || !sk->socket || !sk->socket->file)
+       if (!sk || !sk->socket || !sk->socket->file) {
+               if (info->match == IPT_OWNER_VS && sk && sk->socket)
+                       /* perhaps kernel thread -> use vx_id -1 */
+                       if((-1 == info->vx_id) ^
+                           !!(info->invert & IPT_OWNER_VS))
+                               ret = 1;
                goto out;
+       }

        if(info->match & IPT_OWNER_UID) {
                if((sk->socket->file->f_uid != info->uid) ^
@@ -185,6 +191,12 @@ match(const struct sk_buff *skb,
                        goto out;
        }

+       if(info->match & IPT_OWNER_VS) {
+               if((sk->vx_id != info->vx_id) ^
+                   !!(info->invert & IPT_OWNER_VS))
+                       goto out;
+       }
+
        ret = 1;

 out:
--- ./include/linux/netfilter_ipv4/ipt_owner.h.vs-iptables      2002-11-29 
00:53:15.000000000 +0100
+++ ./include/linux/netfilter_ipv4/ipt_owner.h  2004-07-29 15:11:28.000000000 +0200
@@ -7,6 +7,7 @@
 #define IPT_OWNER_PID  0x04
 #define IPT_OWNER_SID  0x08
 #define IPT_OWNER_COMM 0x10
+#define IPT_OWNER_VS   0x80

 struct ipt_owner_info {
     uid_t uid;
@@ -14,6 +15,7 @@ struct ipt_owner_info {
     pid_t pid;
     pid_t sid;
     char comm[16];
+    int vx_id;
     u_int8_t match, invert;    /* flags */
 };

And patch to iptables:

--- ./extensions/libipt_owner.c.ps      2003-01-06 13:40:33.000000000 +0100
+++ ./extensions/libipt_owner.c 2003-06-04 14:24:55.000000000 +0200
@@ -22,6 +22,7 @@ help(void)
 "[!] --pid-owner processid  Match local pid\n"
 "[!] --sid-owner sessionid  Match local sid\n"
 "[!] --cmd-owner name       Match local command name\n"
+"[!] --ctx-owner ctx        Match local security context\n"
 "\n",
 IPTABLES_VERSION);
 #else
@@ -31,6 +32,7 @@ IPTABLES_VERSION);
 "[!] --gid-owner groupid    Match local gid\n"
 "[!] --pid-owner processid  Match local pid\n"
 "[!] --sid-owner sessionid  Match local sid\n"
+"[!] --ctx-owner ctx        Match local security context\n"
 "\n",
 IPTABLES_VERSION);
 #endif /* IPT_OWNER_COMM */
@@ -44,6 +46,7 @@ static struct option opts[] = {
 #ifdef IPT_OWNER_COMM
        { "cmd-owner", 1, 0, '5' },
 #endif
+       { "ctx-owner", 1, 0, '6' },
        {0}
 };

@@ -136,6 +139,17 @@ parse(int c, char **argv, int invert, un
                break;
 #endif

+       case '6':
+               check_inverse(optarg, &invert, &optind, 0);
+               ownerinfo->vx_id = strtoul(optarg, &end, 0);
+               if (*end != '\0' || end == optarg)
+                       exit_error(PARAMETER_PROBLEM, "Bad OWNER CTX value `%s'", 
optarg);
+               if (invert)
+                       ownerinfo->invert |= IPT_OWNER_VS;
+               ownerinfo->match |= IPT_OWNER_VS;
+               *flags = 1;
+               break;
+
        default:
                return 0;
        }
@@ -188,6 +202,9 @@ print_item(struct ipt_owner_info *info,
                        printf("%.*s ", (int)sizeof(info->comm), info->comm);
                        break;
 #endif
+               case IPT_OWNER_VS:
+                       printf("%d ", info->vx_id);
+                       break;
                default:
                        break;
                }
@@ -218,6 +235,7 @@ print(const struct ipt_ip *ip,
 #ifdef IPT_OWNER_COMM
        print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match ");
 #endif
+       print_item(info, IPT_OWNER_VS, numeric, "OWNER CTX match ");
 }

 /* Saves the union ipt_matchinfo in parsable form to stdout. */
@@ -233,6 +251,7 @@ save(const struct ipt_ip *ip, const stru
 #ifdef IPT_OWNER_COMM
        print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner ");
 #endif
+       print_item(info, IPT_OWNER_VS, 0, "--ctx-owner ");
 }

 static
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] ipt_owner patch fo vserver

Reply via email to