Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 1 | /* |
| 2 | * libxt_owner - iptables addon for xt_owner |
| 3 | * |
| 4 | * Copyright © CC Computer Consultants GmbH, 2007 - 2008 |
| 5 | * Jan Engelhardt <jengelh@computergmbh.de> |
| 6 | */ |
| 7 | #include <getopt.h> |
| 8 | #include <grp.h> |
| 9 | #include <netdb.h> |
| 10 | #include <pwd.h> |
| 11 | #include <stdbool.h> |
| 12 | #include <stdio.h> |
| 13 | #include <stdlib.h> |
| 14 | #include <string.h> |
Phil Oester | 9a90f90 | 2008-09-01 15:07:26 +0200 | [diff] [blame] | 15 | #include <limits.h> |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 16 | |
| 17 | #include <xtables.h> |
| 18 | #include <linux/netfilter/xt_owner.h> |
| 19 | #include <linux/netfilter_ipv4/ipt_owner.h> |
| 20 | #include <linux/netfilter_ipv6/ip6t_owner.h> |
| 21 | |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 22 | /* |
| 23 | * Note: "UINT32_MAX - 1" is used in the code because -1 is a reserved |
| 24 | * UID/GID value anyway. |
| 25 | */ |
| 26 | |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 27 | enum { |
| 28 | FLAG_UID_OWNER = 1 << 0, |
| 29 | FLAG_GID_OWNER = 1 << 1, |
| 30 | FLAG_SOCKET_EXISTS = 1 << 2, |
| 31 | FLAG_PID_OWNER = 1 << 3, |
| 32 | FLAG_SID_OWNER = 1 << 4, |
| 33 | FLAG_COMM = 1 << 5, |
| 34 | }; |
| 35 | |
| 36 | static void owner_mt_help_v0(void) |
| 37 | { |
| 38 | #ifdef IPT_OWNER_COMM |
| 39 | printf( |
| 40 | "owner match options:\n" |
| 41 | "[!] --uid-owner userid Match local UID\n" |
| 42 | "[!] --gid-owner groupid Match local GID\n" |
| 43 | "[!] --pid-owner processid Match local PID\n" |
| 44 | "[!] --sid-owner sessionid Match local SID\n" |
| 45 | "[!] --cmd-owner name Match local command name\n" |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 46 | "NOTE: PID, SID and command matching are broken on SMP\n"); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 47 | #else |
| 48 | printf( |
| 49 | "owner match options:\n" |
| 50 | "[!] --uid-owner userid Match local UID\n" |
| 51 | "[!] --gid-owner groupid Match local GID\n" |
| 52 | "[!] --pid-owner processid Match local PID\n" |
| 53 | "[!] --sid-owner sessionid Match local SID\n" |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 54 | "NOTE: PID and SID matching are broken on SMP\n"); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 55 | #endif /* IPT_OWNER_COMM */ |
| 56 | } |
| 57 | |
| 58 | static void owner_mt6_help_v0(void) |
| 59 | { |
| 60 | printf( |
| 61 | "owner match options:\n" |
| 62 | "[!] --uid-owner userid Match local UID\n" |
| 63 | "[!] --gid-owner groupid Match local GID\n" |
| 64 | "[!] --pid-owner processid Match local PID\n" |
| 65 | "[!] --sid-owner sessionid Match local SID\n" |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 66 | "NOTE: PID and SID matching are broken on SMP\n"); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 67 | } |
| 68 | |
| 69 | static void owner_mt_help(void) |
| 70 | { |
| 71 | printf( |
| 72 | "owner match options:\n" |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 73 | "[!] --uid-owner userid[-userid] Match local UID\n" |
| 74 | "[!] --gid-owner groupid[-groupid] Match local GID\n" |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 75 | "[!] --socket-exists Match if socket exists\n"); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 76 | } |
| 77 | |
| 78 | static const struct option owner_mt_opts_v0[] = { |
| 79 | {.name = "uid-owner", .has_arg = true, .val = 'u'}, |
| 80 | {.name = "gid-owner", .has_arg = true, .val = 'g'}, |
| 81 | {.name = "pid-owner", .has_arg = true, .val = 'p'}, |
| 82 | {.name = "sid-owner", .has_arg = true, .val = 's'}, |
| 83 | #ifdef IPT_OWNER_COMM |
| 84 | {.name = "cmd-owner", .has_arg = true, .val = 'c'}, |
| 85 | #endif |
Max Kellermann | 9ee386a | 2008-01-29 13:48:05 +0000 | [diff] [blame] | 86 | { .name = NULL } |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 87 | }; |
| 88 | |
| 89 | static const struct option owner_mt6_opts_v0[] = { |
| 90 | {.name = "uid-owner", .has_arg = true, .val = 'u'}, |
| 91 | {.name = "gid-owner", .has_arg = true, .val = 'g'}, |
| 92 | {.name = "pid-owner", .has_arg = true, .val = 'p'}, |
| 93 | {.name = "sid-owner", .has_arg = true, .val = 's'}, |
Max Kellermann | 9ee386a | 2008-01-29 13:48:05 +0000 | [diff] [blame] | 94 | { .name = NULL } |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 95 | }; |
| 96 | |
| 97 | static const struct option owner_mt_opts[] = { |
| 98 | {.name = "uid-owner", .has_arg = true, .val = 'u'}, |
| 99 | {.name = "gid-owner", .has_arg = true, .val = 'g'}, |
| 100 | {.name = "socket-exists", .has_arg = false, .val = 'k'}, |
Max Kellermann | 9ee386a | 2008-01-29 13:48:05 +0000 | [diff] [blame] | 101 | { .name = NULL } |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 102 | }; |
| 103 | |
| 104 | static int |
| 105 | owner_mt_parse_v0(int c, char **argv, int invert, unsigned int *flags, |
| 106 | const void *entry, struct xt_entry_match **match) |
| 107 | { |
| 108 | struct ipt_owner_info *info = (void *)(*match)->data; |
| 109 | struct passwd *pwd; |
| 110 | struct group *grp; |
| 111 | unsigned int id; |
| 112 | |
| 113 | switch (c) { |
| 114 | case 'u': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 115 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--uid-owner", *flags & FLAG_UID_OWNER); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 116 | if ((pwd = getpwnam(optarg)) != NULL) |
| 117 | id = pwd->pw_uid; |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 118 | else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 119 | xtables_param_act(XTF_BAD_VALUE, "owner", "--uid-owner", optarg); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 120 | if (invert) |
| 121 | info->invert |= IPT_OWNER_UID; |
| 122 | info->match |= IPT_OWNER_UID; |
| 123 | info->uid = id; |
| 124 | *flags |= FLAG_UID_OWNER; |
| 125 | return true; |
| 126 | |
| 127 | case 'g': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 128 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--gid-owner", *flags & FLAG_GID_OWNER); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 129 | if ((grp = getgrnam(optarg)) != NULL) |
| 130 | id = grp->gr_gid; |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 131 | else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 132 | xtables_param_act(XTF_BAD_VALUE, "owner", "--gid-owner", optarg); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 133 | if (invert) |
| 134 | info->invert |= IPT_OWNER_GID; |
| 135 | info->match |= IPT_OWNER_GID; |
| 136 | info->gid = id; |
| 137 | *flags |= FLAG_GID_OWNER; |
| 138 | return true; |
| 139 | |
| 140 | case 'p': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 141 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--pid-owner", *flags & FLAG_PID_OWNER); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 142 | if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 143 | xtables_param_act(XTF_BAD_VALUE, "owner", "--pid-owner", optarg); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 144 | if (invert) |
| 145 | info->invert |= IPT_OWNER_PID; |
| 146 | info->match |= IPT_OWNER_PID; |
| 147 | info->pid = id; |
| 148 | *flags |= FLAG_PID_OWNER; |
| 149 | return true; |
| 150 | |
| 151 | case 's': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 152 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--sid-owner", *flags & FLAG_SID_OWNER); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 153 | if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 154 | xtables_param_act(XTF_BAD_VALUE, "owner", "--sid-value", optarg); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 155 | if (invert) |
| 156 | info->invert |= IPT_OWNER_SID; |
| 157 | info->match |= IPT_OWNER_SID; |
| 158 | info->sid = id; |
| 159 | *flags |= FLAG_SID_OWNER; |
| 160 | return true; |
| 161 | |
| 162 | #ifdef IPT_OWNER_COMM |
| 163 | case 'c': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 164 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--cmd-owner", *flags & FLAG_COMM); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 165 | if (strlen(optarg) > sizeof(info->comm)) |
| 166 | exit_error(PARAMETER_PROBLEM, "owner match: command " |
| 167 | "\"%s\" too long, max. %zu characters", |
| 168 | optarg, sizeof(info->comm)); |
| 169 | |
| 170 | info->comm[sizeof(info->comm)-1] = '\0'; |
| 171 | strncpy(info->comm, optarg, sizeof(info->comm)); |
| 172 | |
| 173 | if (invert) |
| 174 | info->invert |= IPT_OWNER_COMM; |
| 175 | info->match |= IPT_OWNER_COMM; |
| 176 | *flags |= FLAG_COMM; |
| 177 | return true; |
| 178 | #endif |
| 179 | } |
| 180 | return false; |
| 181 | } |
| 182 | |
| 183 | static int |
| 184 | owner_mt6_parse_v0(int c, char **argv, int invert, unsigned int *flags, |
| 185 | const void *entry, struct xt_entry_match **match) |
| 186 | { |
| 187 | struct ip6t_owner_info *info = (void *)(*match)->data; |
| 188 | struct passwd *pwd; |
| 189 | struct group *grp; |
| 190 | unsigned int id; |
| 191 | |
| 192 | switch (c) { |
| 193 | case 'u': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 194 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--uid-owner", |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 195 | *flags & FLAG_UID_OWNER); |
| 196 | if ((pwd = getpwnam(optarg)) != NULL) |
| 197 | id = pwd->pw_uid; |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 198 | else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 199 | xtables_param_act(XTF_BAD_VALUE, "owner", "--uid-owner", optarg); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 200 | if (invert) |
| 201 | info->invert |= IP6T_OWNER_UID; |
| 202 | info->match |= IP6T_OWNER_UID; |
| 203 | info->uid = id; |
| 204 | *flags |= FLAG_UID_OWNER; |
| 205 | return true; |
| 206 | |
| 207 | case 'g': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 208 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--gid-owner", |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 209 | *flags & FLAG_GID_OWNER); |
| 210 | if ((grp = getgrnam(optarg)) != NULL) |
| 211 | id = grp->gr_gid; |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 212 | else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 213 | xtables_param_act(XTF_BAD_VALUE, "owner", "--gid-owner", optarg); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 214 | if (invert) |
| 215 | info->invert |= IP6T_OWNER_GID; |
| 216 | info->match |= IP6T_OWNER_GID; |
| 217 | info->gid = id; |
| 218 | *flags |= FLAG_GID_OWNER; |
| 219 | return true; |
| 220 | |
| 221 | case 'p': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 222 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--pid-owner", |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 223 | *flags & FLAG_PID_OWNER); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 224 | if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 225 | xtables_param_act(XTF_BAD_VALUE, "owner", "--pid-owner", optarg); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 226 | if (invert) |
| 227 | info->invert |= IP6T_OWNER_PID; |
| 228 | info->match |= IP6T_OWNER_PID; |
| 229 | info->pid = id; |
| 230 | *flags |= FLAG_PID_OWNER; |
| 231 | return true; |
| 232 | |
| 233 | case 's': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 234 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--sid-owner", |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 235 | *flags & FLAG_SID_OWNER); |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 236 | if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 237 | xtables_param_act(XTF_BAD_VALUE, "owner", "--sid-owner", optarg); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 238 | if (invert) |
| 239 | info->invert |= IP6T_OWNER_SID; |
| 240 | info->match |= IP6T_OWNER_SID; |
| 241 | info->sid = id; |
| 242 | *flags |= FLAG_SID_OWNER; |
| 243 | return true; |
| 244 | } |
| 245 | return false; |
| 246 | } |
| 247 | |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 248 | static void owner_parse_range(const char *s, unsigned int *from, |
| 249 | unsigned int *to, const char *opt) |
| 250 | { |
| 251 | char *end; |
| 252 | |
Jan Engelhardt | 7a63ca7 | 2009-01-27 17:34:58 +0100 | [diff] [blame] | 253 | /* -1 is reversed, so the max is one less than that. */ |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 254 | if (!xtables_strtoui(s, &end, from, 0, UINT32_MAX - 1)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 255 | xtables_param_act(XTF_BAD_VALUE, "owner", opt, s); |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 256 | *to = *from; |
| 257 | if (*end == '-' || *end == ':') |
Jan Engelhardt | 5f2922c | 2009-01-27 18:43:01 +0100 | [diff] [blame] | 258 | if (!xtables_strtoui(end + 1, &end, to, 0, UINT32_MAX - 1)) |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 259 | xtables_param_act(XTF_BAD_VALUE, "owner", opt, s); |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 260 | if (*end != '\0') |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 261 | xtables_param_act(XTF_BAD_VALUE, "owner", opt, s); |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 262 | } |
| 263 | |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 264 | static int owner_mt_parse(int c, char **argv, int invert, unsigned int *flags, |
| 265 | const void *entry, struct xt_entry_match **match) |
| 266 | { |
| 267 | struct xt_owner_match_info *info = (void *)(*match)->data; |
| 268 | struct passwd *pwd; |
| 269 | struct group *grp; |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 270 | unsigned int from, to; |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 271 | |
| 272 | switch (c) { |
| 273 | case 'u': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 274 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--uid-owner", |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 275 | *flags & FLAG_UID_OWNER); |
| 276 | if ((pwd = getpwnam(optarg)) != NULL) |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 277 | from = to = pwd->pw_uid; |
| 278 | else |
| 279 | owner_parse_range(optarg, &from, &to, "--uid-owner"); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 280 | if (invert) |
| 281 | info->invert |= XT_OWNER_UID; |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 282 | info->match |= XT_OWNER_UID; |
| 283 | info->uid_min = from; |
| 284 | info->uid_max = to; |
| 285 | *flags |= FLAG_UID_OWNER; |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 286 | return true; |
| 287 | |
| 288 | case 'g': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 289 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--gid-owner", |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 290 | *flags & FLAG_GID_OWNER); |
| 291 | if ((grp = getgrnam(optarg)) != NULL) |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 292 | from = to = grp->gr_gid; |
| 293 | else |
| 294 | owner_parse_range(optarg, &from, &to, "--gid-owner"); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 295 | if (invert) |
| 296 | info->invert |= XT_OWNER_GID; |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 297 | info->match |= XT_OWNER_GID; |
| 298 | info->gid_min = from; |
| 299 | info->gid_max = to; |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 300 | *flags |= FLAG_GID_OWNER; |
| 301 | return true; |
| 302 | |
| 303 | case 'k': |
Jan Engelhardt | a41545c | 2009-01-27 21:27:19 +0100 | [diff] [blame] | 304 | xtables_param_act(XTF_ONLY_ONCE, "owner", "--socket-exists", |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 305 | *flags & FLAG_SOCKET_EXISTS); |
| 306 | if (invert) |
| 307 | info->invert |= XT_OWNER_SOCKET; |
| 308 | info->match |= XT_OWNER_SOCKET; |
| 309 | *flags |= FLAG_SOCKET_EXISTS; |
| 310 | return true; |
| 311 | |
| 312 | } |
| 313 | return false; |
| 314 | } |
| 315 | |
| 316 | static void owner_mt_check(unsigned int flags) |
| 317 | { |
| 318 | if (flags == 0) |
| 319 | exit_error(PARAMETER_PROBLEM, "owner: At least one of " |
| 320 | "--uid-owner, --gid-owner or --socket-exists " |
| 321 | "is required"); |
| 322 | } |
| 323 | |
| 324 | static void |
| 325 | owner_mt_print_item_v0(const struct ipt_owner_info *info, const char *label, |
| 326 | u_int8_t flag, bool numeric) |
| 327 | { |
| 328 | if (!(info->match & flag)) |
| 329 | return; |
| 330 | if (info->invert & flag) |
| 331 | printf("! "); |
Daniel Drake | cfb9cf0 | 2009-01-19 15:36:41 +0100 | [diff] [blame] | 332 | printf("%s ", label); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 333 | |
| 334 | switch (info->match & flag) { |
| 335 | case IPT_OWNER_UID: |
| 336 | if (!numeric) { |
| 337 | struct passwd *pwd = getpwuid(info->uid); |
| 338 | |
| 339 | if (pwd != NULL && pwd->pw_name != NULL) { |
| 340 | printf("%s ", pwd->pw_name); |
| 341 | break; |
| 342 | } |
| 343 | } |
| 344 | printf("%u ", (unsigned int)info->uid); |
| 345 | break; |
| 346 | |
| 347 | case IPT_OWNER_GID: |
| 348 | if (!numeric) { |
| 349 | struct group *grp = getgrgid(info->gid); |
| 350 | |
| 351 | if (grp != NULL && grp->gr_name != NULL) { |
| 352 | printf("%s ", grp->gr_name); |
| 353 | break; |
| 354 | } |
| 355 | } |
| 356 | printf("%u ", (unsigned int)info->gid); |
| 357 | break; |
| 358 | |
| 359 | case IPT_OWNER_PID: |
| 360 | printf("%u ", (unsigned int)info->pid); |
| 361 | break; |
| 362 | |
| 363 | case IPT_OWNER_SID: |
| 364 | printf("%u ", (unsigned int)info->sid); |
| 365 | break; |
| 366 | |
| 367 | #ifdef IPT_OWNER_COMM |
| 368 | case IPT_OWNER_COMM: |
| 369 | printf("%.*s ", (int)sizeof(info->comm), info->comm); |
| 370 | break; |
| 371 | #endif |
| 372 | } |
| 373 | } |
| 374 | |
| 375 | static void |
| 376 | owner_mt6_print_item_v0(const struct ip6t_owner_info *info, const char *label, |
| 377 | u_int8_t flag, bool numeric) |
| 378 | { |
| 379 | if (!(info->match & flag)) |
| 380 | return; |
| 381 | if (info->invert & flag) |
| 382 | printf("! "); |
Daniel Drake | cfb9cf0 | 2009-01-19 15:36:41 +0100 | [diff] [blame] | 383 | printf("%s ", label); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 384 | |
| 385 | switch (info->match & flag) { |
| 386 | case IP6T_OWNER_UID: |
| 387 | if (!numeric) { |
| 388 | struct passwd *pwd = getpwuid(info->uid); |
| 389 | |
| 390 | if (pwd != NULL && pwd->pw_name != NULL) { |
| 391 | printf("%s ", pwd->pw_name); |
| 392 | break; |
| 393 | } |
| 394 | } |
| 395 | printf("%u ", (unsigned int)info->uid); |
| 396 | break; |
| 397 | |
| 398 | case IP6T_OWNER_GID: |
| 399 | if (!numeric) { |
| 400 | struct group *grp = getgrgid(info->gid); |
| 401 | |
| 402 | if (grp != NULL && grp->gr_name != NULL) { |
| 403 | printf("%s ", grp->gr_name); |
| 404 | break; |
| 405 | } |
| 406 | } |
| 407 | printf("%u ", (unsigned int)info->gid); |
| 408 | break; |
| 409 | |
| 410 | case IP6T_OWNER_PID: |
| 411 | printf("%u ", (unsigned int)info->pid); |
| 412 | break; |
| 413 | |
| 414 | case IP6T_OWNER_SID: |
| 415 | printf("%u ", (unsigned int)info->sid); |
| 416 | break; |
| 417 | } |
| 418 | } |
| 419 | |
| 420 | static void |
| 421 | owner_mt_print_item(const struct xt_owner_match_info *info, const char *label, |
| 422 | u_int8_t flag, bool numeric) |
| 423 | { |
| 424 | if (!(info->match & flag)) |
| 425 | return; |
| 426 | if (info->invert & flag) |
| 427 | printf("! "); |
Jan Engelhardt | bb9284d | 2008-06-06 14:20:05 +0200 | [diff] [blame] | 428 | printf("%s ", label); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 429 | |
| 430 | switch (info->match & flag) { |
| 431 | case XT_OWNER_UID: |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 432 | if (info->uid_min != info->uid_max) { |
| 433 | printf("%u-%u ", (unsigned int)info->uid_min, |
| 434 | (unsigned int)info->uid_max); |
| 435 | break; |
| 436 | } else if (!numeric) { |
| 437 | const struct passwd *pwd = getpwuid(info->uid_min); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 438 | |
| 439 | if (pwd != NULL && pwd->pw_name != NULL) { |
| 440 | printf("%s ", pwd->pw_name); |
| 441 | break; |
| 442 | } |
| 443 | } |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 444 | printf("%u ", (unsigned int)info->uid_min); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 445 | break; |
| 446 | |
| 447 | case XT_OWNER_GID: |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 448 | if (info->gid_min != info->gid_max) { |
| 449 | printf("%u-%u ", (unsigned int)info->gid_min, |
| 450 | (unsigned int)info->gid_max); |
| 451 | break; |
| 452 | } else if (!numeric) { |
| 453 | const struct group *grp = getgrgid(info->gid_min); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 454 | |
| 455 | if (grp != NULL && grp->gr_name != NULL) { |
| 456 | printf("%s ", grp->gr_name); |
| 457 | break; |
| 458 | } |
| 459 | } |
Jan Engelhardt | ca1da70 | 2008-01-29 13:38:05 +0000 | [diff] [blame] | 460 | printf("%u ", (unsigned int)info->gid_min); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 461 | break; |
| 462 | } |
| 463 | } |
| 464 | |
| 465 | static void |
| 466 | owner_mt_print_v0(const void *ip, const struct xt_entry_match *match, |
| 467 | int numeric) |
| 468 | { |
| 469 | const struct ipt_owner_info *info = (void *)match->data; |
| 470 | |
Jan Engelhardt | bb9284d | 2008-06-06 14:20:05 +0200 | [diff] [blame] | 471 | owner_mt_print_item_v0(info, "owner UID match", IPT_OWNER_UID, numeric); |
| 472 | owner_mt_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric); |
| 473 | owner_mt_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric); |
| 474 | owner_mt_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 475 | #ifdef IPT_OWNER_COMM |
Jan Engelhardt | bb9284d | 2008-06-06 14:20:05 +0200 | [diff] [blame] | 476 | owner_mt_print_item_v0(info, "owner CMD match", IPT_OWNER_COMM, numeric); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 477 | #endif |
| 478 | } |
| 479 | |
| 480 | static void |
| 481 | owner_mt6_print_v0(const void *ip, const struct xt_entry_match *match, |
| 482 | int numeric) |
| 483 | { |
| 484 | const struct ip6t_owner_info *info = (void *)match->data; |
| 485 | |
Jan Engelhardt | bb9284d | 2008-06-06 14:20:05 +0200 | [diff] [blame] | 486 | owner_mt6_print_item_v0(info, "owner UID match", IPT_OWNER_UID, numeric); |
| 487 | owner_mt6_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric); |
| 488 | owner_mt6_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric); |
| 489 | owner_mt6_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 490 | } |
| 491 | |
| 492 | static void owner_mt_print(const void *ip, const struct xt_entry_match *match, |
| 493 | int numeric) |
| 494 | { |
| 495 | const struct xt_owner_match_info *info = (void *)match->data; |
| 496 | |
Jan Engelhardt | bb9284d | 2008-06-06 14:20:05 +0200 | [diff] [blame] | 497 | owner_mt_print_item(info, "owner socket exists", XT_OWNER_SOCKET, numeric); |
| 498 | owner_mt_print_item(info, "owner UID match", XT_OWNER_UID, numeric); |
| 499 | owner_mt_print_item(info, "owner GID match", XT_OWNER_GID, numeric); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 500 | } |
| 501 | |
| 502 | static void |
| 503 | owner_mt_save_v0(const void *ip, const struct xt_entry_match *match) |
| 504 | { |
| 505 | const struct ipt_owner_info *info = (void *)match->data; |
| 506 | |
Jan Engelhardt | bb9284d | 2008-06-06 14:20:05 +0200 | [diff] [blame] | 507 | owner_mt_print_item_v0(info, "--uid-owner", IPT_OWNER_UID, true); |
| 508 | owner_mt_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true); |
| 509 | owner_mt_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true); |
| 510 | owner_mt_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 511 | #ifdef IPT_OWNER_COMM |
Jan Engelhardt | bb9284d | 2008-06-06 14:20:05 +0200 | [diff] [blame] | 512 | owner_mt_print_item_v0(info, "--cmd-owner", IPT_OWNER_COMM, true); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 513 | #endif |
| 514 | } |
| 515 | |
| 516 | static void |
| 517 | owner_mt6_save_v0(const void *ip, const struct xt_entry_match *match) |
| 518 | { |
| 519 | const struct ip6t_owner_info *info = (void *)match->data; |
| 520 | |
Jan Engelhardt | bb9284d | 2008-06-06 14:20:05 +0200 | [diff] [blame] | 521 | owner_mt6_print_item_v0(info, "--uid-owner", IPT_OWNER_UID, true); |
| 522 | owner_mt6_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true); |
| 523 | owner_mt6_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true); |
| 524 | owner_mt6_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 525 | } |
| 526 | |
| 527 | static void owner_mt_save(const void *ip, const struct xt_entry_match *match) |
| 528 | { |
| 529 | const struct xt_owner_match_info *info = (void *)match->data; |
| 530 | |
Jan Engelhardt | bb9284d | 2008-06-06 14:20:05 +0200 | [diff] [blame] | 531 | owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, false); |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 532 | owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, false); |
| 533 | owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, false); |
| 534 | } |
| 535 | |
| 536 | static struct xtables_match owner_mt_reg_v0 = { |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 537 | .version = XTABLES_VERSION, |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 538 | .name = "owner", |
| 539 | .revision = 0, |
Jan Engelhardt | 03d9948 | 2008-11-18 12:27:54 +0100 | [diff] [blame] | 540 | .family = NFPROTO_IPV4, |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 541 | .size = XT_ALIGN(sizeof(struct ipt_owner_info)), |
| 542 | .userspacesize = XT_ALIGN(sizeof(struct ipt_owner_info)), |
| 543 | .help = owner_mt_help_v0, |
| 544 | .parse = owner_mt_parse_v0, |
| 545 | .final_check = owner_mt_check, |
| 546 | .print = owner_mt_print_v0, |
| 547 | .save = owner_mt_save_v0, |
| 548 | .extra_opts = owner_mt_opts_v0, |
| 549 | }; |
| 550 | |
| 551 | static struct xtables_match owner_mt6_reg_v0 = { |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 552 | .version = XTABLES_VERSION, |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 553 | .name = "owner", |
| 554 | .revision = 0, |
Jan Engelhardt | 03d9948 | 2008-11-18 12:27:54 +0100 | [diff] [blame] | 555 | .family = NFPROTO_IPV6, |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 556 | .size = XT_ALIGN(sizeof(struct ip6t_owner_info)), |
| 557 | .userspacesize = XT_ALIGN(sizeof(struct ip6t_owner_info)), |
| 558 | .help = owner_mt6_help_v0, |
| 559 | .parse = owner_mt6_parse_v0, |
| 560 | .final_check = owner_mt_check, |
| 561 | .print = owner_mt6_print_v0, |
| 562 | .save = owner_mt6_save_v0, |
| 563 | .extra_opts = owner_mt6_opts_v0, |
| 564 | }; |
| 565 | |
| 566 | static struct xtables_match owner_mt_reg = { |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 567 | .version = XTABLES_VERSION, |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 568 | .name = "owner", |
| 569 | .revision = 1, |
Jan Engelhardt | 03d9948 | 2008-11-18 12:27:54 +0100 | [diff] [blame] | 570 | .family = NFPROTO_IPV4, |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 571 | .size = XT_ALIGN(sizeof(struct xt_owner_match_info)), |
| 572 | .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)), |
| 573 | .help = owner_mt_help, |
| 574 | .parse = owner_mt_parse, |
| 575 | .final_check = owner_mt_check, |
| 576 | .print = owner_mt_print, |
| 577 | .save = owner_mt_save, |
| 578 | .extra_opts = owner_mt_opts, |
| 579 | }; |
| 580 | |
| 581 | static struct xtables_match owner_mt6_reg = { |
Jan Engelhardt | 8b7c64d | 2008-04-15 11:48:25 +0200 | [diff] [blame] | 582 | .version = XTABLES_VERSION, |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 583 | .name = "owner", |
| 584 | .revision = 1, |
Jan Engelhardt | 03d9948 | 2008-11-18 12:27:54 +0100 | [diff] [blame] | 585 | .family = NFPROTO_IPV6, |
Jan Engelhardt | 5c5cd88 | 2008-01-20 13:21:38 +0000 | [diff] [blame] | 586 | .size = XT_ALIGN(sizeof(struct xt_owner_match_info)), |
| 587 | .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)), |
| 588 | .help = owner_mt_help, |
| 589 | .parse = owner_mt_parse, |
| 590 | .final_check = owner_mt_check, |
| 591 | .print = owner_mt_print, |
| 592 | .save = owner_mt_save, |
| 593 | .extra_opts = owner_mt_opts, |
| 594 | }; |
| 595 | |
| 596 | void _init(void) |
| 597 | { |
| 598 | xtables_register_match(&owner_mt_reg_v0); |
| 599 | xtables_register_match(&owner_mt6_reg_v0); |
| 600 | xtables_register_match(&owner_mt_reg); |
| 601 | xtables_register_match(&owner_mt6_reg); |
| 602 | } |