I've attached a patch that fixes klips when user namespaces is enabled in the kernel. I am not 100% familiar with this feature, so I would like a review especially in regards to the use of init_user_ns when converting kuid_t. I believe this is correct, as the init_user_ns namespace appears to act as the global root namespace.
I tested klips on fedora kernels with and without CONFIG_USER_NS with this patch and things worked normally. Thanks, Matt
commit be0cef873b85a8b4356ecf0fbebb5f83d19ca3b4 Author: Matt Rogers <mrog...@redhat.com> Date: Wed Mar 12 22:34:45 2014 -0400 klips: convert kuid_t with the initial namespace when CONFIG_USER_NS is enabled (now in fedora 20 kernels) diff --git a/linux/include/libreswan/ipsec_kversion.h b/linux/include/libreswan/ipsec_kversion.h index ed40fc0..2854a11 100644 --- a/linux/include/libreswan/ipsec_kversion.h +++ b/linux/include/libreswan/ipsec_kversion.h @@ -516,5 +516,10 @@ # define DEFINE_RWLOCK(x) rwlock_t x = RW_LOCK_UNLOCKED #endif +/* CONFIG_USER_NS is now on in Fedora 20 kernels */ +#if defined(CONFIG_USER_NS) +# define HAVE_USER_NS +#endif + #endif /* _LIBRESWAN_KVERSIONS_H */ diff --git a/linux/include/libreswan/pfkey.h b/linux/include/libreswan/pfkey.h index 76d9b58..32f4351 100644 --- a/linux/include/libreswan/pfkey.h +++ b/linux/include/libreswan/pfkey.h @@ -29,7 +29,9 @@ extern /* void */ int pfkey_cleanup(void); extern int pfkey_registered_show(struct seq_file *seq, void *offset); extern int pfkey_supported_show(struct seq_file *seq, void *offset); extern int pfkey_show(struct seq_file *seq, void *offset); - +#ifdef HAVE_USER_NS +extern uint32_t pfkey_kuid_to_uid(kuid_t kuid); +#endif struct socket_list { struct socket *socketp; struct socket_list *next; diff --git a/linux/net/ipsec/pfkey_v2.c b/linux/net/ipsec/pfkey_v2.c index 94be7b4..62db8d7 100644 --- a/linux/net/ipsec/pfkey_v2.c +++ b/linux/net/ipsec/pfkey_v2.c @@ -552,6 +552,13 @@ DEBUG_NO_STATIC void pfkey_destroy_socket(struct sock *sk) "klips_debug:pfkey_destroy_socket: destroyed.\n"); } +#ifdef HAVE_USER_NS +uint32_t pfkey_kuid_to_uid(kuid_t kuid) +{ + return from_kuid(&init_user_ns, kuid); +} +#endif + int pfkey_upmsg(struct socket *sock, struct sadb_msg *pfkey_msg) { struct sock *sk; @@ -739,7 +746,11 @@ DEBUG_NO_STATIC int pfkey_create(struct socket *sock, int protocol) sk->sk_family = PF_KEY; /* sk->num = protocol; */ sk->sk_protocol = protocol; +#ifdef HAVE_USER_NS + key_pid(sk) = pfkey_kuid_to_uid(current_uid()); +#else key_pid(sk) = current_uid(); +#endif #ifdef HAVE_SOCKET_WQ KLIPS_PRINT(debug_pfkey, diff --git a/linux/net/ipsec/pfkey_v2_parser.c b/linux/net/ipsec/pfkey_v2_parser.c index 7c2ba3b..40b0444 100644 --- a/linux/net/ipsec/pfkey_v2_parser.c +++ b/linux/net/ipsec/pfkey_v2_parser.c @@ -1850,7 +1850,11 @@ int pfkey_register_reply(int satype, struct sadb_msg *sadb_msg) pfkey_msg_seq, sadb_msg ? sadb_msg ->sadb_msg_pid : +#ifdef HAVE_USER_NS + pfkey_kuid_to_uid(current_uid())), +#else current_uid()), +#endif extensions_reply) && (alg_num_a ? pfkey_safe_build(error = pfkey_supported_build(&
_______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev