net: core: add UID to flows, rules, and routes

- Define a new FIB rule attributes, FRA_UID_RANGE, to describe a
  range of UIDs.
- Define a RTA_UID attribute for per-UID route lookups and dumps.
- Support passing these attributes to and from userspace via
  rtnetlink. The value INVALID_UID indicates no UID was
  specified.
- Add a UID field to the flow structures.

Bug: 16355602
Change-Id: Iea98e6fedd0fd4435a1f4efa3deb3629505619ab
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 59160de702b68023c248181ab6c5fcb6e2f42452..bd2b5c00756161e001491ebac83aa952cdb0715b 100644 (file)
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -8,6 +8,11 @@
 #include <net/flow.h>
 #include <net/rtnetlink.h>
 
+struct fib_kuid_range {
+       kuid_t start;
+       kuid_t end;
+};
+
 struct fib_rule {
        struct list_head        list;
        int                     iifindex;
@@ -29,6 +34,7 @@ struct fib_rule {
        int                     suppress_prefixlen;
        char                    iifname[IFNAMSIZ];
        char                    oifname[IFNAMSIZ];
+       struct fib_kuid_range   uid_range;
        struct rcu_head         rcu;
 };
 
@@ -89,7 +95,8 @@ struct fib_rules_ops {
        [FRA_TABLE]     = { .type = NLA_U32 }, \
        [FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 }, \
        [FRA_SUPPRESS_IFGROUP] = { .type = NLA_U32 }, \
-       [FRA_GOTO]      = { .type = NLA_U32 }
+       [FRA_GOTO]      = { .type = NLA_U32 }, \
+       [FRA_UID_RANGE] = { .len = sizeof(struct fib_rule_uid_range) }
 
 static inline void fib_rule_get(struct fib_rule *rule)
 {

diff --git a/include/net/flow.h b/include/net/flow.h
index 83969eebebf3b458bc4160fe0aded6f5d8fdd30c..8913962d7d253a0771c4744e65b8e1a9efa7d536 100644 (file)
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -11,6 +11,7 @@
 #include <linux/in6.h>
 #include <linux/atomic.h>
 #include <net/flow_dissector.h>
+#include <linux/uidgid.h>
 
 /*
  * ifindex generation is per-net namespace, and loopback is
@@ -38,6 +39,7 @@ struct flowi_common {
 #define FLOWI_FLAG_SKIP_NH_OIF         0x08
        __u32   flowic_secid;
        struct flowi_tunnel flowic_tun_key;
+       kuid_t  flowic_uid;
 };
 
 union flowi_uli {
@@ -75,6 +77,7 @@ struct flowi4 {
 #define flowi4_flags           __fl_common.flowic_flags
 #define flowi4_secid           __fl_common.flowic_secid
 #define flowi4_tun_key         __fl_common.flowic_tun_key
+#define flowi4_uid             __fl_common.flowic_uid
 
        /* (saddr,daddr) must be grouped, same order as in IP header */
        __be32                  saddr;
@@ -133,6 +136,7 @@ struct flowi6 {
 #define flowi6_flags           __fl_common.flowic_flags
 #define flowi6_secid           __fl_common.flowic_secid
 #define flowi6_tun_key         __fl_common.flowic_tun_key
+#define flowi6_uid             __fl_common.flowic_uid
        struct in6_addr         daddr;
        struct in6_addr         saddr;
        __be32                  flowlabel;
@@ -177,6 +181,7 @@ struct flowi {
 #define flowi_flags    u.__fl_common.flowic_flags
 #define flowi_secid    u.__fl_common.flowic_secid
 #define flowi_tun_key  u.__fl_common.flowic_tun_key
+#define flowi_uid      u.__fl_common.flowic_uid
 } __attribute__((__aligned__(BITS_PER_LONG/8)));
 
 static inline struct flowi *flowi4_to_flowi(struct flowi4 *fl4)

diff --git a/include/uapi/linux/fib_rules.h b/include/uapi/linux/fib_rules.h
index 96161b8202b5d026ed39904f15a899659fc39adb..bbf02a63a01133351ea49392f1bb06da13b4130d 100644 (file)
--- a/include/uapi/linux/fib_rules.h
+++ b/include/uapi/linux/fib_rules.h
@@ -29,6 +29,11 @@ struct fib_rule_hdr {
        __u32           flags;
 };
 
+struct fib_rule_uid_range {
+       __u32           start;
+       __u32           end;
+};
+
 enum {
        FRA_UNSPEC,
        FRA_DST,        /* destination address */
@@ -49,6 +54,9 @@ enum {
        FRA_TABLE,      /* Extended table id */
        FRA_FWMASK,     /* mask for netfilter mark */
        FRA_OIFNAME,
+       FRA_PAD,
+       FRA_L3MDEV,     /* iif or oif is l3mdev goto its table */
+       FRA_UID_RANGE,  /* UID range */
        __FRA_MAX
 };
 

diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
index fa3b3436556027aa587cd6d2042c00ba147ef53a..d7d7599b112a990c9a50c717b9c45a5ea2c4bad6 100644 (file)
--- a/include/uapi/linux/rtnetlink.h
+++ b/include/uapi/linux/rtnetlink.h
@@ -311,6 +311,9 @@ enum rtattr_type_t {
        RTA_PREF,
        RTA_ENCAP_TYPE,
        RTA_ENCAP,
+       RTA_EXPIRES,
+       RTA_PAD,
+       RTA_UID,
        __RTA_MAX
 };
 

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 365de66436aca8dba3868aa565d4cb77353b58d1..cb744a352167b48b252c1f59239c2ead281bebe4 100644 (file)
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -18,6 +18,11 @@
 #include <net/fib_rules.h>
 #include <net/ip_tunnels.h>
 
+static const struct fib_kuid_range fib_kuid_range_unset = {
+       KUIDT_INIT(0),
+       KUIDT_INIT(~0),
+};
+
 int fib_default_rule_add(struct fib_rules_ops *ops,
                         u32 pref, u32 table, u32 flags)
 {
@@ -33,6 +38,7 @@ int fib_default_rule_add(struct fib_rules_ops *ops,
        r->table = table;
        r->flags = flags;
        r->fr_net = ops->fro_net;
+       r->uid_range = fib_kuid_range_unset;
 
        r->suppress_prefixlen = -1;
        r->suppress_ifgroup = -1;
@@ -172,6 +178,34 @@ void fib_rules_unregister(struct fib_rules_ops *ops)
 }
 EXPORT_SYMBOL_GPL(fib_rules_unregister);
 
+static int uid_range_set(struct fib_kuid_range *range)
+{
+       return uid_valid(range->start) && uid_valid(range->end);
+}
+
+static struct fib_kuid_range nla_get_kuid_range(struct nlattr **tb)
+{
+       struct fib_rule_uid_range *in;
+       struct fib_kuid_range out;
+
+       in = (struct fib_rule_uid_range *)nla_data(tb[FRA_UID_RANGE]);
+
+       out.start = make_kuid(current_user_ns(), in->start);
+       out.end = make_kuid(current_user_ns(), in->end);
+
+       return out;
+}
+
+static int nla_put_uid_range(struct sk_buff *skb, struct fib_kuid_range *range)
+{
+       struct fib_rule_uid_range out = {
+               from_kuid_munged(current_user_ns(), range->start),
+               from_kuid_munged(current_user_ns(), range->end)
+       };
+
+       return nla_put(skb, FRA_UID_RANGE, sizeof(out), &out);
+}
+
 static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
                          struct flowi *fl, int flags)
 {
@@ -189,6 +223,10 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
        if (rule->tun_id && (rule->tun_id != fl->flowi_tun_key.tun_id))
                goto out;
 
+       if (uid_lt(fl->flowi_uid, rule->uid_range.start) ||
+           uid_gt(fl->flowi_uid, rule->uid_range.end))
+               goto out;
+
        ret = ops->match(rule, fl, flags);
 out:
        return (rule->flags & FIB_RULE_INVERT) ? !ret : ret;
@@ -371,6 +409,21 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh)
        } else if (rule->action == FR_ACT_GOTO)
                goto errout_free;
 
+       if (tb[FRA_UID_RANGE]) {
+               if (current_user_ns() != net->user_ns) {
+                       err = -EPERM;
+                       goto errout_free;
+               }
+
+               rule->uid_range = nla_get_kuid_range(tb);
+
+               if (!uid_range_set(&rule->uid_range) ||
+                   !uid_lte(rule->uid_range.start, rule->uid_range.end))
+                       goto errout_free;
+       } else {
+               rule->uid_range = fib_kuid_range_unset;
+       }
+
        err = ops->configure(rule, skb, frh, tb);
        if (err < 0)
                goto errout_free;
@@ -432,6 +485,7 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh)
        struct fib_rules_ops *ops = NULL;
        struct fib_rule *rule, *tmp;
        struct nlattr *tb[FRA_MAX+1];
+       struct fib_kuid_range range;
        int err = -EINVAL;
 
        if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
@@ -451,6 +505,14 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh)
        if (err < 0)
                goto errout;
 
+       if (tb[FRA_UID_RANGE]) {
+               range = nla_get_kuid_range(tb);
+               if (!uid_range_set(&range))
+                       goto errout;
+       } else {
+               range = fib_kuid_range_unset;
+       }
+
        list_for_each_entry(rule, &ops->rules_list, list) {
                if (frh->action && (frh->action != rule->action))
                        continue;
@@ -483,6 +545,11 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh)
                    (rule->tun_id != nla_get_be64(tb[FRA_TUN_ID])))
                        continue;
 
+               if (uid_range_set(&range) &&
+                   (!uid_eq(rule->uid_range.start, range.start) ||
+                    !uid_eq(rule->uid_range.end, range.end)))
+                       continue;
+
                if (!ops->compare(rule, frh, tb))
                        continue;
 
@@ -550,6 +617,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
                         + nla_total_size(4) /* FRA_FWMARK */
                         + nla_total_size(4) /* FRA_FWMASK */
                         + nla_total_size(8); /* FRA_TUN_ID */
+                        + nla_total_size(sizeof(struct fib_kuid_range));
 
        if (ops->nlmsg_payload)
                payload += ops->nlmsg_payload(rule);
@@ -607,7 +675,9 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
            (rule->target &&
             nla_put_u32(skb, FRA_GOTO, rule->target)) ||
            (rule->tun_id &&
-            nla_put_be64(skb, FRA_TUN_ID, rule->tun_id)))
+            nla_put_be64(skb, FRA_TUN_ID, rule->tun_id)) ||
+           (uid_range_set(&rule->uid_range) &&
+            nla_put_uid_range(skb, &rule->uid_range)))
                goto nla_put_failure;
 
        if (rule->suppress_ifgroup != -1) {

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 63566ec54794db8213c2c935d75c2ba32dd71d61..98c754e61024e14f46e6112d6e1a90fb88a013f0 100644 (file)
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -627,6 +627,7 @@ const struct nla_policy rtm_ipv4_policy[RTA_MAX + 1] = {
        [RTA_FLOW]              = { .type = NLA_U32 },
        [RTA_ENCAP_TYPE]        = { .type = NLA_U16 },
        [RTA_ENCAP]             = { .type = NLA_NESTED },
+       [RTA_UID]               = { .type = NLA_U32 },
 };
 
 static int rtm_to_fib_config(struct net *net, struct sk_buff *skb,

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 7ceb8a574a50a0bfe38eb4796fa48502df5754e3..d1cff08f1580ac9a01a3914e85cd0abae980189e 100644 (file)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2486,6 +2486,11 @@ static int rt_fill_info(struct net *net,  __be32 dst, __be32 src, u32 table_id,
            nla_put_u32(skb, RTA_MARK, fl4->flowi4_mark))
                goto nla_put_failure;
 
+       if (!uid_eq(fl4->flowi4_uid, INVALID_UID) &&
+           nla_put_u32(skb, RTA_UID,
+                       from_kuid_munged(current_user_ns(), fl4->flowi4_uid)))
+               goto nla_put_failure;
+
        error = rt->dst.error;
 
        if (rt_is_input_route(rt)) {
@@ -2538,6 +2543,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
        int mark;
        struct sk_buff *skb;
        u32 table_id = RT_TABLE_MAIN;
+       kuid_t uid;
 
        err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv4_policy);
        if (err < 0)
@@ -2565,6 +2571,10 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
        dst = tb[RTA_DST] ? nla_get_in_addr(tb[RTA_DST]) : 0;
        iif = tb[RTA_IIF] ? nla_get_u32(tb[RTA_IIF]) : 0;
        mark = tb[RTA_MARK] ? nla_get_u32(tb[RTA_MARK]) : 0;
+       if (tb[RTA_UID])
+               uid = make_kuid(current_user_ns(), nla_get_u32(tb[RTA_UID]));
+       else
+               uid = (iif ? INVALID_UID : current_uid());
 
        memset(&fl4, 0, sizeof(fl4));
        fl4.daddr = dst;
@@ -2572,6 +2582,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
        fl4.flowi4_tos = rtm->rtm_tos;
        fl4.flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0;
        fl4.flowi4_mark = mark;
+       fl4.flowi4_uid = uid;
 
        if (netif_index_is_l3_master(net, fl4.flowi4_oif))
                fl4.flowi4_flags = FLOWI_FLAG_L3MDEV_SRC | FLOWI_FLAG_SKIP_NH_OIF;

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 614e6a7718875e6c6323b763bcbe42f10be3eaf6..4bca900f629998ae405c0b6dcf97edede6f4ec83 100644 (file)
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2686,6 +2686,7 @@ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = {
        [RTA_PREF]              = { .type = NLA_U8 },
        [RTA_ENCAP_TYPE]        = { .type = NLA_U16 },
        [RTA_ENCAP]             = { .type = NLA_NESTED },
+       [RTA_UID]               = { .type = NLA_U32 },
 };
 
 static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
@@ -3249,6 +3250,12 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh)
        if (tb[RTA_MARK])
                fl6.flowi6_mark = nla_get_u32(tb[RTA_MARK]);
 
+       if (tb[RTA_UID])
+               fl6.flowi6_uid = make_kuid(current_user_ns(),
+                                          nla_get_u32(tb[RTA_UID]));
+       else
+               fl6.flowi6_uid = iif ? INVALID_UID : current_uid();
+
        if (iif) {
                struct net_device *dev;
                int flags = 0;