aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJP Abgrall2013-01-04 20:18:36 -0600
committerArve Hjønnevåg2013-02-19 19:56:14 -0600
commit2f9264b36db37f3668254443be106d4417052d7a (patch)
treeec4db3a0fac66409af3ba3ef201de8c617bb96fe
parente8018511357b8344d35a701c47667f52308d62ff (diff)
downloadkernel-common-2f9264b36db37f3668254443be106d4417052d7a.tar.gz
kernel-common-2f9264b36db37f3668254443be106d4417052d7a.tar.xz
kernel-common-2f9264b36db37f3668254443be106d4417052d7a.zip
netfilter: xt_qtaguid: remove AID_* dependency for access control
qtaguid limits what can be done with /ctrl and /stats based on group membership. This changes removes AID_NET_BW_STATS and AID_NET_BW_ACCT, and picks up the groups from the gid of the matching proc entry files. Signed-off-by: JP Abgrall <jpa@google.com> Change-Id: I42e477adde78a12ed5eb58fbc0b277cdaadb6f94
-rw-r--r--net/netfilter/xt_qtaguid.c51
1 files changed, 26 insertions, 25 deletions
diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c
index 603bdd20699..923f1bdd02e 100644
--- a/net/netfilter/xt_qtaguid.c
+++ b/net/netfilter/xt_qtaguid.c
@@ -53,25 +53,22 @@ static unsigned int proc_stats_perms = S_IRUGO;
53module_param_named(stats_perms, proc_stats_perms, uint, S_IRUGO | S_IWUSR); 53module_param_named(stats_perms, proc_stats_perms, uint, S_IRUGO | S_IWUSR);
54 54
55static struct proc_dir_entry *xt_qtaguid_ctrl_file; 55static struct proc_dir_entry *xt_qtaguid_ctrl_file;
56#ifdef CONFIG_ANDROID_PARANOID_NETWORK 56
57/* Everybody can write. But proc_ctrl_write_limited is true by default which
58 * limits what can be controlled. See the can_*() functions.
59 */
57static unsigned int proc_ctrl_perms = S_IRUGO | S_IWUGO; 60static unsigned int proc_ctrl_perms = S_IRUGO | S_IWUGO;
58#else
59static unsigned int proc_ctrl_perms = S_IRUGO | S_IWUSR;
60#endif
61module_param_named(ctrl_perms, proc_ctrl_perms, uint, S_IRUGO | S_IWUSR); 61module_param_named(ctrl_perms, proc_ctrl_perms, uint, S_IRUGO | S_IWUSR);
62 62
63#ifdef CONFIG_ANDROID_PARANOID_NETWORK 63/* Limited by default, so the gid of the ctrl and stats proc entries
64#include <linux/android_aid.h> 64 * will limit what can be done. See the can_*() functions.
65static gid_t proc_stats_readall_gid = AID_NET_BW_STATS; 65 */
66static gid_t proc_ctrl_write_gid = AID_NET_BW_ACCT; 66static bool proc_stats_readall_limited = true;
67#else 67static bool proc_ctrl_write_limited = true;
68/* 0 means, don't limit anybody */ 68
69static gid_t proc_stats_readall_gid; 69module_param_named(stats_readall_limited, proc_stats_readall_limited, bool,
70static gid_t proc_ctrl_write_gid;
71#endif
72module_param_named(stats_readall_gid, proc_stats_readall_gid, uint,
73 S_IRUGO | S_IWUSR); 70 S_IRUGO | S_IWUSR);
74module_param_named(ctrl_write_gid, proc_ctrl_write_gid, uint, 71module_param_named(ctrl_write_limited, proc_ctrl_write_limited, bool,
75 S_IRUGO | S_IWUSR); 72 S_IRUGO | S_IWUSR);
76 73
77/* 74/*
@@ -242,8 +239,9 @@ static struct qtaguid_event_counts qtu_events;
242static bool can_manipulate_uids(void) 239static bool can_manipulate_uids(void)
243{ 240{
244 /* root pwnd */ 241 /* root pwnd */
245 return unlikely(!current_fsuid()) || unlikely(!proc_ctrl_write_gid) 242 return in_egroup_p(xt_qtaguid_ctrl_file->gid)
246 || in_egroup_p(proc_ctrl_write_gid); 243 || unlikely(!current_fsuid()) || unlikely(!proc_ctrl_write_limited)
244 || unlikely(current_fsuid() == xt_qtaguid_ctrl_file->uid);
247} 245}
248 246
249static bool can_impersonate_uid(uid_t uid) 247static bool can_impersonate_uid(uid_t uid)
@@ -254,9 +252,10 @@ static bool can_impersonate_uid(uid_t uid)
254static bool can_read_other_uid_stats(uid_t uid) 252static bool can_read_other_uid_stats(uid_t uid)
255{ 253{
256 /* root pwnd */ 254 /* root pwnd */
257 return unlikely(!current_fsuid()) || uid == current_fsuid() 255 return in_egroup_p(xt_qtaguid_stats_file->gid)
258 || unlikely(!proc_stats_readall_gid) 256 || unlikely(!current_fsuid()) || uid == current_fsuid()
259 || in_egroup_p(proc_stats_readall_gid); 257 || unlikely(!proc_stats_readall_limited)
258 || unlikely(current_fsuid() == xt_qtaguid_ctrl_file->uid);
260} 259}
261 260
262static inline void dc_add_byte_packets(struct data_counters *counters, int set, 261static inline void dc_add_byte_packets(struct data_counters *counters, int set,
@@ -2302,11 +2301,12 @@ static int ctrl_cmd_tag(const char *input)
2302 } 2301 }
2303 CT_DEBUG("qtaguid: ctrl_tag(%s): " 2302 CT_DEBUG("qtaguid: ctrl_tag(%s): "
2304 "pid=%u tgid=%u uid=%u euid=%u fsuid=%u " 2303 "pid=%u tgid=%u uid=%u euid=%u fsuid=%u "
2305 "in_group=%d in_egroup=%d\n", 2304 "ctrl.gid=%u in_group()=%d in_egroup()=%d\n",
2306 input, current->pid, current->tgid, current_uid(), 2305 input, current->pid, current->tgid, current_uid(),
2307 current_euid(), current_fsuid(), 2306 current_euid(), current_fsuid(),
2308 in_group_p(proc_ctrl_write_gid), 2307 xt_qtaguid_ctrl_file->gid,
2309 in_egroup_p(proc_ctrl_write_gid)); 2308 in_group_p(xt_qtaguid_ctrl_file->gid),
2309 in_egroup_p(xt_qtaguid_ctrl_file->gid));
2310 if (argc < 4) { 2310 if (argc < 4) {
2311 uid = current_fsuid(); 2311 uid = current_fsuid();
2312 } else if (!can_impersonate_uid(uid)) { 2312 } else if (!can_impersonate_uid(uid)) {
@@ -2598,10 +2598,11 @@ static int pp_stats_line(struct proc_print_info *ppi, int cnt_set)
2598 && !can_read_other_uid_stats(stat_uid)) { 2598 && !can_read_other_uid_stats(stat_uid)) {
2599 CT_DEBUG("qtaguid: stats line: " 2599 CT_DEBUG("qtaguid: stats line: "
2600 "%s 0x%llx %u: insufficient priv " 2600 "%s 0x%llx %u: insufficient priv "
2601 "from pid=%u tgid=%u uid=%u\n", 2601 "from pid=%u tgid=%u uid=%u stats.gid=%u\n",
2602 ppi->iface_entry->ifname, 2602 ppi->iface_entry->ifname,
2603 get_atag_from_tag(tag), stat_uid, 2603 get_atag_from_tag(tag), stat_uid,
2604 current->pid, current->tgid, current_fsuid()); 2604 current->pid, current->tgid, current_fsuid(),
2605 xt_qtaguid_stats_file->gid);
2605 return 0; 2606 return 0;
2606 } 2607 }
2607 if (ppi->item_index++ < ppi->items_to_skip) 2608 if (ppi->item_index++ < ppi->items_to_skip)