About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Fri 30 Jul 2004 - 16:29:44 BST


On Fri, Jul 30, 2004 at 04:28:02PM +0200, Pavel Semerad wrote:
>
> Hello,
> I am long time using patch for vserver (now 1.2.28), which
> adds to ipt_owner possibility to match vx_id of socket owner. I am using it
> to restrict where services in security contexts can connect to (so when
> somebody breaks into service, he cannot connect to other computer).
> It can be usefull also for others, so sending it.
>
> Usage:
> iptables -m owner --ctx-owner 0 ...
>

interesting ... are you the author of this patch?

why not join the irc channel (#vserver @ irc.oftc.net)
and chat a little about the future implementations
(ngn) and how this could/should be integrated ...

thanks,
Herbert

> Pavel Semerad
>
> Patch to 2.4.26 kernel with 1.2.28 vserver:
>
> --- ./net/ipv4/netfilter/ipt_owner.c.vs-iptables 2004-07-29 15:06:37.000000000 +0200
> +++ ./net/ipv4/netfilter/ipt_owner.c 2004-07-30 15:27:10.000000000 +0200
> @@ -152,8 +152,14 @@ match(const struct sk_buff *skb,
> }
> }
>
> - if (!sk || !sk->socket || !sk->socket->file)
> + if (!sk || !sk->socket || !sk->socket->file) {
> + if (info->match == IPT_OWNER_VS && sk && sk->socket)
> + /* perhaps kernel thread -> use vx_id -1 */
> + if((-1 == info->vx_id) ^
> + !!(info->invert & IPT_OWNER_VS))
> + ret = 1;
> goto out;
> + }
>
> if(info->match & IPT_OWNER_UID) {
> if((sk->socket->file->f_uid != info->uid) ^
> @@ -185,6 +191,12 @@ match(const struct sk_buff *skb,
> goto out;
> }
>
> + if(info->match & IPT_OWNER_VS) {
> + if((sk->vx_id != info->vx_id) ^
> + !!(info->invert & IPT_OWNER_VS))
> + goto out;
> + }
> +
> ret = 1;
>
> out:
> --- ./include/linux/netfilter_ipv4/ipt_owner.h.vs-iptables 2002-11-29 00:53:15.000000000 +0100
> +++ ./include/linux/netfilter_ipv4/ipt_owner.h 2004-07-29 15:11:28.000000000 +0200
> @@ -7,6 +7,7 @@
> #define IPT_OWNER_PID 0x04
> #define IPT_OWNER_SID 0x08
> #define IPT_OWNER_COMM 0x10
> +#define IPT_OWNER_VS 0x80
>
> struct ipt_owner_info {
> uid_t uid;
> @@ -14,6 +15,7 @@ struct ipt_owner_info {
> pid_t pid;
> pid_t sid;
> char comm[16];
> + int vx_id;
> u_int8_t match, invert; /* flags */
> };
>
>
>
> And patch to iptables:
>
> --- ./extensions/libipt_owner.c.ps 2003-01-06 13:40:33.000000000 +0100
> +++ ./extensions/libipt_owner.c 2003-06-04 14:24:55.000000000 +0200
> @@ -22,6 +22,7 @@ help(void)
> "[!] --pid-owner processid Match local pid\n"
> "[!] --sid-owner sessionid Match local sid\n"
> "[!] --cmd-owner name Match local command name\n"
> +"[!] --ctx-owner ctx Match local security context\n"
> "\n",
> IPTABLES_VERSION);
> #else
> @@ -31,6 +32,7 @@ IPTABLES_VERSION);
> "[!] --gid-owner groupid Match local gid\n"
> "[!] --pid-owner processid Match local pid\n"
> "[!] --sid-owner sessionid Match local sid\n"
> +"[!] --ctx-owner ctx Match local security context\n"
> "\n",
> IPTABLES_VERSION);
> #endif /* IPT_OWNER_COMM */
> @@ -44,6 +46,7 @@ static struct option opts[] = {
> #ifdef IPT_OWNER_COMM
> { "cmd-owner", 1, 0, '5' },
> #endif
> + { "ctx-owner", 1, 0, '6' },
> {0}
> };
>
> @@ -136,6 +139,17 @@ parse(int c, char **argv, int invert, un
> break;
> #endif
>
> + case '6':
> + check_inverse(optarg, &invert, &optind, 0);
> + ownerinfo->vx_id = strtoul(optarg, &end, 0);
> + if (*end != '\0' || end == optarg)
> + exit_error(PARAMETER_PROBLEM, "Bad OWNER CTX value `%s'", optarg);
> + if (invert)
> + ownerinfo->invert |= IPT_OWNER_VS;
> + ownerinfo->match |= IPT_OWNER_VS;
> + *flags = 1;
> + break;
> +
> default:
> return 0;
> }
> @@ -188,6 +202,9 @@ print_item(struct ipt_owner_info *info,
> printf("%.*s ", (int)sizeof(info->comm), info->comm);
> break;
> #endif
> + case IPT_OWNER_VS:
> + printf("%d ", info->vx_id);
> + break;
> default:
> break;
> }
> @@ -218,6 +235,7 @@ print(const struct ipt_ip *ip,
> #ifdef IPT_OWNER_COMM
> print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match ");
> #endif
> + print_item(info, IPT_OWNER_VS, numeric, "OWNER CTX match ");
> }
>
> /* Saves the union ipt_matchinfo in parsable form to stdout. */
> @@ -233,6 +251,7 @@ save(const struct ipt_ip *ip, const stru
> #ifdef IPT_OWNER_COMM
> print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner ");
> #endif
> + print_item(info, IPT_OWNER_VS, 0, "--ctx-owner ");
> }
>
> static
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 30 Jul 2004 - 16:29:56 BST by hypermail 2.1.3