iptables-owner-xid.patch

   1 --- iptables-1.6.0/extensions/libxt_owner.c.orig        2016-04-09 22:02:13.847585590 +0900
   2 +++ iptables-1.6.0/extensions/libxt_owner.c     2016-04-09 22:24:01.855632355 +0900
   3 @@ -64,6 +64,8 @@
   4         O_SESSION,
   5         O_COMM,
   6         O_SUPPL_GROUPS,
   7 +       O_NID,
   8 +       O_XID,
   9  };
  10
  11  static void owner_mt_help_v0(void)
  12 @@ -75,6 +77,8 @@
  13  "[!] --pid-owner processid    Match local PID\n"
  14  "[!] --sid-owner sessionid    Match local SID\n"
  15  "[!] --cmd-owner name         Match local command name\n"
  16 +"[!] --nid-owner nid          Match local nid\n"
  17 +"[!] --xid-owner xid          Match local xid\n"
  18  "NOTE: PID, SID and command matching are broken on SMP\n");
  19  }
  20
  21 @@ -86,6 +90,8 @@
  22  "[!] --gid-owner groupid      Match local GID\n"
  23  "[!] --pid-owner processid    Match local PID\n"
  24  "[!] --sid-owner sessionid    Match local SID\n"
  25 +"[!] --nid-owner nid          Match local nid\n"
  26 +"[!] --xid-owner xid          Match local xid\n"
  27  "NOTE: PID and SID matching are broken on SMP\n");
  28  }
  29
  30 @@ -112,6 +118,12 @@
  31          .max = INT_MAX},
  32         {.name = "cmd-owner", .id = O_COMM, .type = XTTYPE_STRING,
  33          .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, comm)},
  34 +       {.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
  35 +        .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, nid),
  36 +        .max = INT_MAX},
  37 +       {.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
  38 +        .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, xid),
  39 +        .max = INT_MAX},
  40         XTOPT_TABLEEND,
  41  };
  42  #undef s
  43 @@ -128,10 +140,17 @@
  44         {.name = "sid-owner", .id = O_SESSION, .type = XTTYPE_UINT32,
  45          .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, sid),
  46          .max = INT_MAX},
  47 +       {.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
  48 +        .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, nid),
  49 +        .max = INT_MAX},
  50 +       {.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
  51 +        .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, xid),
  52 +        .max = INT_MAX},
  53         XTOPT_TABLEEND,
  54  };
  55  #undef s
  56
  57 +#define s struct xt_owner_match_info
  58  static const struct xt_option_entry owner_mt_opts[] = {
  59         {.name = "uid-owner", .id = O_USER, .type = XTTYPE_STRING,
  60          .flags = XTOPT_INVERT},
  61 @@ -139,8 +157,15 @@
  62         {.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE,
  63          .flags = XTOPT_INVERT},
  64         {.name = "suppl-groups", .id = O_SUPPL_GROUPS, .type = XTTYPE_NONE},
  65 +       {.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
  66 +        .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, nid),
  67 +        .max = INT_MAX},
  68 +       {.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
  69 +        .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, xid),
  70 +        .max = INT_MAX},
  71         XTOPT_TABLEEND,
  72  };
  73 +#undef s
  74
  75  static void owner_mt_parse_v0(struct xt_option_call *cb)
  76  {
  77 @@ -186,6 +210,16 @@
  78                         info->invert |= IPT_OWNER_COMM;
  79                 info->match |= IPT_OWNER_COMM;
  80                 break;
  81 +       case O_NID:
  82 +               if (cb->invert)
  83 +                       info->invert |= IPT_OWNER_NID;
  84 +               info->match |= IPT_OWNER_NID;
  85 +               break;
  86 +       case O_XID:
  87 +               if (cb->invert)
  88 +                       info->invert |= IPT_OWNER_XID;
  89 +               info->match |= IPT_OWNER_XID;
  90 +               break;
  91         }
  92  }
  93
  94 @@ -228,6 +262,16 @@
  95                         info->invert |= IP6T_OWNER_SID;
  96                 info->match |= IP6T_OWNER_SID;
  97                 break;
  98 +       case O_NID:
  99 +               if (cb->invert)
 100 +                       info->invert |= IPT_OWNER_NID;
 101 +               info->match |= IPT_OWNER_NID;
 102 +               break;
 103 +       case O_XID:
 104 +               if (cb->invert)
 105 +                       info->invert |= IPT_OWNER_XID;
 106 +               info->match |= IPT_OWNER_XID;
 107 +               break;
 108         }
 109  }
 110
 111 @@ -283,6 +327,16 @@
 112                         xtables_param_act(XTF_BAD_VALUE, "owner", "--suppl-groups", "you need to use --gid-owner first");
 113                 info->match |= XT_OWNER_SUPPL_GROUPS;
 114                 break;
 115 +       case O_NID:
 116 +               if (cb->invert)
 117 +                       info->invert |= IPT_OWNER_NID;
 118 +               info->match |= IPT_OWNER_NID;
 119 +               break;
 120 +       case O_XID:
 121 +               if (cb->invert)
 122 +                       info->invert |= IPT_OWNER_XID;
 123 +               info->match |= IPT_OWNER_XID;
 124 +               break;
 125         }
 126  }
 127
 128 @@ -340,6 +394,12 @@
 129         case IPT_OWNER_COMM:
 130                 printf(" %.*s", (int)sizeof(info->comm), info->comm);
 131                 break;
 132 +       case IPT_OWNER_NID:
 133 +               printf("%u ", info->nid);
 134 +               break;
 135 +       case IPT_OWNER_XID:
 136 +               printf("%u ", info->xid);
 137 +               break;
 138         }
 139  }
 140
 141 @@ -385,6 +445,12 @@
 142         case IP6T_OWNER_SID:
 143                 printf(" %u", (unsigned int)info->sid);
 144                 break;
 145 +       case IP6T_OWNER_NID:
 146 +               printf("%u ", info->nid);
 147 +               break;
 148 +       case IP6T_OWNER_XID:
 149 +               printf("%u ", info->xid);
 150 +               break;
 151         }
 152  }
 153
 154 @@ -430,6 +496,12 @@
 155                 }
 156                 printf(" %u", (unsigned int)info->gid_min);
 157                 break;
 158 +       case XT_OWNER_NID:
 159 +               printf("%u ", info->nid);
 160 +               break;
 161 +       case XT_OWNER_XID:
 162 +               printf("%u ", info->xid);
 163 +               break;
 164         }
 165  }
 166
 167 @@ -444,6 +516,8 @@
 168         owner_mt_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
 169         owner_mt_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
 170         owner_mt_print_item_v0(info, "owner CMD match", IPT_OWNER_COMM, numeric);
 171 +       owner_mt_print_item_v0(info, "owner NID match", IPT_OWNER_NID, numeric);
 172 +       owner_mt_print_item_v0(info, "owner XID match", IPT_OWNER_XID, numeric);
 173  }
 174
 175  static void
 176 @@ -456,6 +530,8 @@
 177         owner_mt6_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric);
 178         owner_mt6_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
 179         owner_mt6_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
 180 +       owner_mt6_print_item_v0(info, "owner NID match", IPT_OWNER_NID, numeric);
 181 +       owner_mt6_print_item_v0(info, "owner XID match", IPT_OWNER_XID, numeric);
 182  }
 183
 184  static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
 185 @@ -466,6 +542,8 @@
 186         owner_mt_print_item(info, "owner UID match",     XT_OWNER_UID,          numeric);
 187         owner_mt_print_item(info, "owner GID match",     XT_OWNER_GID,          numeric);
 188         owner_mt_print_item(info, "incl. suppl. groups", XT_OWNER_SUPPL_GROUPS, numeric);
 189 +       owner_mt_print_item(info, "owner NID match",     XT_OWNER_NID,          numeric);
 190 +       owner_mt_print_item(info, "owner XID match",     XT_OWNER_XID,          numeric);
 191  }
 192
 193  static void
 194 @@ -478,6 +556,8 @@
 195         owner_mt_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
 196         owner_mt_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
 197         owner_mt_print_item_v0(info, "--cmd-owner", IPT_OWNER_COMM, true);
 198 +       owner_mt_print_item_v0(info, "--nid-owner", IPT_OWNER_NID, true);
 199 +       owner_mt_print_item_v0(info, "--xid-owner", IPT_OWNER_XID, true);
 200  }
 201
 202  static void
 203 @@ -489,6 +569,8 @@
 204         owner_mt6_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true);
 205         owner_mt6_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
 206         owner_mt6_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
 207 +       owner_mt6_print_item_v0(info, "--nid-owner", IPT_OWNER_NID, true);
 208 +       owner_mt6_print_item_v0(info, "--xid-owner", IPT_OWNER_XID, true);
 209  }
 210
 211  static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
 212 @@ -498,6 +580,8 @@
 213         owner_mt_print_item(info, "--uid-owner",      XT_OWNER_UID,          true);
 214         owner_mt_print_item(info, "--gid-owner",      XT_OWNER_GID,          true);
 215         owner_mt_print_item(info, "--suppl-groups",   XT_OWNER_SUPPL_GROUPS, true);
 216 +       owner_mt_print_item(info, "--nid-owner",      XT_OWNER_NID,          true);
 217 +       owner_mt_print_item(info, "--xid-owner",      XT_OWNER_XID,          true);
 218  }
 219
 220  static int