Bug#270850: marked as done (kernel-image-2.6: [patch] adding per-program per-connection support to ipt_owner.c)
Your message dated Wed, 29 Sep 2004 17:30:20 +0200
with message-id <20040929153020.GH1835@stro.at>
and subject line iptables patch
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Sep 2004 16:19:09 +0000
>From lkcl@lkcl.net Thu Sep 09 09:19:09 2004
Return-path: <lkcl@lkcl.net>
Received: from open.hands.com [195.224.53.39]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C5Rdc-0005kW-00; Thu, 09 Sep 2004 09:19:08 -0700
Received: from lkcl.net (host81-152-10-162.range81-152.btcentralplus.com [81.152.10.162])
by open.hands.com (Postfix) with ESMTP id 70330C01E
for <submit@bugs.debian.org>; Thu, 9 Sep 2004 17:18:31 +0100 (BST)
Received: from lkcl by lkcl.net with local (Exim 4.24)
id 1C5Rnz-0002bV-Ri; Thu, 09 Sep 2004 17:29:51 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kernel-image-2.6: [patch] adding per-program per-connection support to
ipt_owner.c
X-Mailer: reportbug 2.39
Date: Thu, 09 Sep 2004 17:29:51 +0100
Message-Id: <E1C5Rnz-0002bV-Ri@lkcl.net>
X-hands-com-MailScanner: Found to be clean
X-hands-com-MailScanner-SpamScore: s
X-MailScanner-From: lkcl@lkcl.net
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: kernel-image-2.6
Severity: wishlist
attached is a patch for adding per-program, per-connection firewalling
support to iptables.
it's added to ipt_owner.c because that is the most similar code.
i could i suppose create a separate module, but hey.
detailed report sent to linux kernel mailing list, locatable on
this page:
http://www.ussg.iu.edu/hypermail/linux/kernel/0409.1/index.html
Index: fs/proc/base.c
===================================================================
RCS file: /cvsroot/selinux/nsa/linux-2.6/fs/proc/base.c,v
retrieving revision 1.1.1.9
diff -u -u -r1.1.1.9 base.c
--- fs/proc/base.c 18 Jun 2004 19:30:20 -0000 1.1.1.9
+++ fs/proc/base.c 9 Sep 2004 15:32:32 -0000
@@ -206,11 +206,12 @@
return -ENOENT;
}
-static int proc_exe_link(struct inode *inode, struct dentry **dentry, struct vfsmount **mnt)
+extern int proc_task_dentry_lookup(struct task_struct *task, struct dentry **dentry, struct vfsmount **mnt);
+
+int proc_task_dentry_lookup(struct task_struct *task, struct dentry **dentry, struct vfsmount **mnt)
{
struct vm_area_struct * vma;
int result = -ENOENT;
- struct task_struct *task = proc_task(inode);
struct mm_struct * mm = get_task_mm(task);
if (!mm)
@@ -233,6 +234,11 @@
return result;
}
+static int proc_exe_link(struct inode *inode, struct dentry **dentry, struct vfsmount **mnt)
+{
+ return proc_task_dentry_lookup(proc_task(inode), dentry, mnt);
+}
+
static int proc_cwd_link(struct inode *inode, struct dentry **dentry, struct vfsmount **mnt)
{
struct fs_struct *fs;
Index: fs/proc/root.c
===================================================================
RCS file: /cvsroot/selinux/nsa/linux-2.6/fs/proc/root.c,v
retrieving revision 1.1.1.2
diff -u -u -r1.1.1.2 root.c
--- fs/proc/root.c 8 Apr 2004 14:13:50 -0000 1.1.1.2
+++ fs/proc/root.c 9 Sep 2004 15:32:32 -0000
@@ -147,6 +147,8 @@
.parent = &proc_root,
};
+extern int proc_task_dentry_lookup(struct task_struct *task, struct dentry **dentry, struct vfsmount **mnt);
+
#ifdef CONFIG_SYSCTL
EXPORT_SYMBOL(proc_sys_root);
#endif
@@ -159,3 +161,4 @@
EXPORT_SYMBOL(proc_net);
EXPORT_SYMBOL(proc_bus);
EXPORT_SYMBOL(proc_root_driver);
+EXPORT_SYMBOL(proc_task_dentry_lookup);
Index: include/linux/netfilter_ipv4/ipt_owner.h
===================================================================
RCS file: /cvsroot/selinux/nsa/linux-2.6/include/linux/netfilter_ipv4/ipt_owner.h,v
retrieving revision 1.1.1.1
diff -u -u -r1.1.1.1 ipt_owner.h
--- include/linux/netfilter_ipv4/ipt_owner.h 14 Aug 2003 12:09:16 -0000 1.1.1.1
+++ include/linux/netfilter_ipv4/ipt_owner.h 9 Sep 2004 15:32:40 -0000
@@ -7,6 +7,10 @@
#define IPT_OWNER_PID 0x04
#define IPT_OWNER_SID 0x08
#define IPT_OWNER_COMM 0x10
+#define IPT_OWNER_INO 0x20
+#define IPT_OWNER_DEV 0x40
+
+#define IPT_DEVNAME_SZ 80
struct ipt_owner_info {
uid_t uid;
@@ -14,6 +18,12 @@
pid_t pid;
pid_t sid;
char comm[16];
+
+ /* set these as a pair: specify the filesystem, specify the inode */
+ /* it's the only simple (and unambigous) way to reference a program */
+ char device[IPT_DEVNAME_SZ];
+ unsigned long ino;
+
u_int8_t match, invert; /* flags */
};
Index: net/ipv4/netfilter/ipt_owner.c
===================================================================
RCS file: /cvsroot/selinux/nsa/linux-2.6/net/ipv4/netfilter/ipt_owner.c,v
retrieving revision 1.1.1.4
diff -u -u -r1.1.1.4 ipt_owner.c
--- net/ipv4/netfilter/ipt_owner.c 13 May 2004 18:03:23 -0000 1.1.1.4
+++ net/ipv4/netfilter/ipt_owner.c 9 Sep 2004 15:32:44 -0000
@@ -1,16 +1,34 @@
/* Kernel module to match various things tied to sockets associated with
- locally generated outgoing packets. */
+ locally generated outgoing packets.
+
+ lkcl 2004sep9: match against filesystem on which program handling the
+ packet can be found (IPT_OWNER_DEV) and also the inode
+ on that filesystem of that same program.
+
+ why anyone would want to only check just the mountpoint
+ i don't know (well, i do - e.g. /usr/local is a
+ separate untrusted or even an nfs-mounted partition)
+ but i had to include and check the mountpoint because
+ otherwise the inode is meaningless.
+ */
/* (C) 2000 Marc Boucher <marc@mbsi.ca>
+ * (C) 2004 Luke Kenneth Casson Leighton <lkcl@lkcl.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
+ *
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/file.h>
+#include <linux/rwsem.h>
+#include <linux/mount.h>
+#include <linux/dcache.h>
+#include <linux/string.h>
+#include <linux/sched.h>
#include <net/sock.h>
#include <linux/netfilter_ipv4/ipt_owner.h>
@@ -20,6 +38,86 @@
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("iptables owner match");
+/* lkcl: this function is in fs/proc/base.c. it's a generic function
+ * derived from proc_exe_link(). it's inappropriate to leave that
+ * function in fs/proc/base.c. but i don't care: i don't have the
+ * knowledge to say where it should go. therefore i'm leaving
+ * it in fs/proc/base.c.
+ */
+extern int proc_task_dentry_lookup(struct task_struct *task,
+ struct dentry **dentry,
+ struct vfsmount **mnt);
+
+/*
+ * look up the dentry (for the inode) of the task's executable,
+ * plus lookup the mountpoint of the filesystem from where that
+ * executable came from. then do exactly the same socket checking
+ * that all the other checks seem to be doing.
+ */
+static int proc_exe_check(struct task_struct *task, u_int8_t match,
+ const char *devname, unsigned long i_num)
+{
+ int result = -ENOENT;
+ struct vfsmount *mnt;
+ struct dentry *dentry;
+ result = proc_task_dentry_lookup(task, &dentry, &mnt);
+ if (result != 0)
+ return result;
+
+ if (!dentry->d_inode)
+ return -ENOENT;
+
+ /* lkcl: i can't be bothered to make obtuse code out of some
+ * boolean overkill logic cleverness.
+ */
+ if (match & IPT_OWNER_INO && match & IPT_OWNER_DEV)
+ if (dentry->d_inode->i_ino == i_num &&
+ strncmp(mnt->mnt_devname, devname, IPT_DEVNAME_SZ) == 0)
+ return 0;
+ if (match & IPT_OWNER_INO)
+ if (dentry->d_inode->i_ino == i_num)
+ return 0;
+ if (match & IPT_OWNER_DEV)
+ if (strncmp(mnt->mnt_devname, devname, IPT_DEVNAME_SZ) == 0)
+ return 0;
+ return -ENOENT;
+}
+
+static int
+match_inode(const struct sk_buff *skb, u_int8_t match,
+ const char *devname, unsigned long i_num)
+{
+ struct task_struct *g, *p;
+ struct files_struct *files;
+ int i;
+
+ read_lock(&tasklist_lock);
+ do_each_thread(g, p) {
+
+ if (proc_exe_check(p, match, devname, i_num))
+ continue;
+
+ task_lock(p);
+ files = p->files;
+ if(files) {
+ spin_lock(&files->file_lock);
+ for (i=0; i < files->max_fds; i++) {
+ if (fcheck_files(files, i) ==
+ skb->sk->sk_socket->file) {
+ spin_unlock(&files->file_lock);
+ task_unlock(p);
+ read_unlock(&tasklist_lock);
+ return 1;
+ }
+ }
+ spin_unlock(&files->file_lock);
+ }
+ task_unlock(p);
+ } while_each_thread(g, p);
+ read_unlock(&tasklist_lock);
+ return 0;
+}
+
static int
match_comm(const struct sk_buff *skb, const char *comm)
{
@@ -163,6 +261,12 @@
return 0;
}
+ if(info->match & IPT_OWNER_INO || info->match & IPT_OWNER_DEV) {
+ if (!match_inode(skb, info->match, info->device, info->ino) ^
+ !!(info->invert & IPT_OWNER_INO))
+ return 0;
+ }
+
return 1;
}
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux highfield 2.6.7-selinux1 #7 Wed Sep 8 17:46:33 BST 2004 i686
Locale: LANG=C, LC_CTYPE=C
---------------------------------------
Received: (at 270850-done) by bugs.debian.org; 29 Sep 2004 15:30:12 +0000
>From max@stro.at Wed Sep 29 08:30:12 2004
Return-path: <max@stro.at>
Received: from baikonur.stro.at [213.239.196.228]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CCgPE-0008AB-00; Wed, 29 Sep 2004 08:30:12 -0700
Received: from localhost (localhost [127.0.0.1])
by baikonur.stro.at (Postfix) with ESMTP id 555FE5C069
for <270850-done@bugs.debian.org>; Wed, 29 Sep 2004 17:30:09 +0200 (CEST)
Received: from baikonur.stro.at ([127.0.0.1])
by localhost (baikonur [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 05029-08 for <270850-done@bugs.debian.org>;
Wed, 29 Sep 2004 17:30:08 +0200 (CEST)
Received: from sputnik (stallburg.stro.at [128.131.216.190])
by baikonur.stro.at (Postfix) with ESMTP id 6C2175C00A
for <270850-done@bugs.debian.org>; Wed, 29 Sep 2004 17:30:08 +0200 (CEST)
Received: from max by sputnik with local (Exim 4.34)
id 1CCgPM-0001DS-Rj
for 270850-done@bugs.debian.org; Wed, 29 Sep 2004 17:30:20 +0200
Date: Wed, 29 Sep 2004 17:30:20 +0200
From: maks attems <debian@sternwelten.at>
To: 270850-done@bugs.debian.org
Subject: iptables patch
Message-ID: <20040929153020.GH1835@stro.at>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040722i
Sender: maximilian attems <max@stro.at>
X-Virus-Scanned: by Amavis (ClamAV) at stro.at
Delivered-To: 270850-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
please submit your patch upstream at the netfilter team,
debian mostly uses vanilla linus sources.
there devel list is at netfilter-devel@lists.netfilter.org
i assume you know http://www.netfilter.org/ . ;)
--
maks
kernel janitor http://janitor.kernelnewbies.org/
Reply to: