The commit is pushed to "branch-rh7-3.10.0-514.16.1.vz7.32.x-ovz" and will
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.16.1.vz7.32.10
------>
commit f6adb98156c29d98d49fd20002c1cf1284caaabb
Author: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com>
Date: Tue Jun 20 21:14:43 2017 +0400
ve/netfilter: get UID and GID from container user ns on rule match
It's good enough for us. It won't work properly in case of setting rules by
joining container network namespace without VE cgroup, but it's acceptable,
because proper fix needs a lot of backporting.
https://jira.sw.ru/browse/PSBM-43609
Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com>
Reviewed-by: Cyrill Gorcunov <gorcu...@openvz.org>
---
net/netfilter/xt_owner.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index 942cce1..31dec4a 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -31,14 +31,14 @@ owner_mt_v0(const struct sk_buff *skb, struct
xt_action_param *par)
return false;
if (info->match & XT_OWNER_UID) {
- kuid_t uid = make_kuid(&init_user_ns, info->uid);
+ kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
!!(info->invert & XT_OWNER_UID))
return false;
}
if (info->match & XT_OWNER_GID) {
- kgid_t gid = make_kgid(&init_user_ns, info->gid);
+ kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
!!(info->invert & XT_OWNER_GID))
return false;
@@ -61,14 +61,14 @@ owner_mt6_v0(const struct sk_buff *skb, struct
xt_action_param *par)
return false;
if (info->match & XT_OWNER_UID) {
- kuid_t uid = make_kuid(&init_user_ns, info->uid);
+ kuid_t uid = make_kuid(ve_init_user_ns(), info->uid);
if ((!uid_eq(filp->f_cred->fsuid, uid)) ^
!!(info->invert & XT_OWNER_UID))
return false;
}
if (info->match & XT_OWNER_GID) {
- kgid_t gid = make_kgid(&init_user_ns, info->gid);
+ kgid_t gid = make_kgid(ve_init_user_ns(), info->gid);
if ((!gid_eq(filp->f_cred->fsgid, gid)) ^
!!(info->invert & XT_OWNER_GID))
return false;
@@ -109,8 +109,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param
*par)
(XT_OWNER_UID | XT_OWNER_GID)) == 0;
if (info->match & XT_OWNER_UID) {
- kuid_t uid_min = make_kuid(&init_user_ns, info->uid_min);
- kuid_t uid_max = make_kuid(&init_user_ns, info->uid_max);
+ kuid_t uid_min = make_kuid(ve_init_user_ns(), info->uid_min);
+ kuid_t uid_max = make_kuid(ve_init_user_ns(), info->uid_max);
if ((uid_gte(filp->f_cred->fsuid, uid_min) &&
uid_lte(filp->f_cred->fsuid, uid_max)) ^
!(info->invert & XT_OWNER_UID))
@@ -118,8 +118,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param
*par)
}
if (info->match & XT_OWNER_GID) {
- kgid_t gid_min = make_kgid(&init_user_ns, info->gid_min);
- kgid_t gid_max = make_kgid(&init_user_ns, info->gid_max);
+ kgid_t gid_min = make_kgid(ve_init_user_ns(), info->gid_min);
+ kgid_t gid_max = make_kgid(ve_init_user_ns(), info->gid_max);
if ((gid_gte(filp->f_cred->fsgid, gid_min) &&
gid_lte(filp->f_cred->fsgid, gid_max)) ^
!(info->invert & XT_OWNER_GID))
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
