DragonFly submit List (threaded) for 2005-02
[
Date Prev][
Date Next]
[
Thread Prev][Thread Next]
[
Date Index][
Thread Index]
Add support to PF for ruid/rgid checking
It's a useful thing to have!
This is a port of the patch provided by Maxime Henrion
<mux@xxxxxxxxxxx>.
His patch is available at http://mu.org/~mux/patches/pf.patch
Enjoy,
Devon
diff -urN usr.sbin/pfctl/parse.y /root/pfctl/parse.y
--- usr.sbin/pfctl/parse.y 2005-02-11 23:31:45.000000000 +0100
+++ /root/pfctl/parse.y 2005-02-28 14:19:03.000000000 +0100
@@ -168,6 +168,8 @@
#define FOM_SRCTRACK 0x10
struct node_uid *uid;
struct node_gid *gid;
+ struct node_uid *ruid;
+ struct node_gid *rgid
struct {
u_int8_t b1;
u_int8_t b2;
@@ -262,7 +264,8 @@
void expand_rule(struct pf_rule *, struct node_if *, struct node_host *,
struct node_proto *, struct node_os*, struct node_host *,
struct node_port *, struct node_host *, struct node_port *,
- struct node_uid *, struct node_gid *, struct node_icmp *);
+ struct node_uid *, struct node_gid *, struct node_icmp *,
+ struct node_uid *, struct node_gid *);
int expand_altq(struct pf_altq *, struct node_if *, struct node_queue *,
struct node_queue_bw bwspec, struct node_queue_opt *);
int expand_queue(struct pf_altq *, struct node_if *, struct node_queue *,
@@ -331,6 +334,8 @@
struct node_port *port;
struct node_uid *uid;
struct node_gid *gid;
+ struct node_uid *ruid;
+ struct node_gid *rgid;
struct node_state_opt *state_opt;
struct peer peer;
struct {
@@ -407,6 +412,7 @@
%token LOAD
%token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
%token TAGGED TAG IFBOUND GRBOUND FLOATING STATEPOLICY
+%token RUSER RGROUP
%token <v.string> STRING
%token <v.i> PORTBINARY
%type <v.interface> interface if_list if_item_not if_item
@@ -430,6 +436,8 @@
%type <v.port> portspec port_list port_item
%type <v.uid> uids uid_list uid_item
%type <v.gid> gids gid_list gid_item
+%type <v.ruid> ruids
+%type <v.rgid> rgids
%type <v.route> route
%type <v.redirection> redirection redirpool
%type <v.string> label string tag
@@ -621,7 +629,7 @@
expand_rule(&r, $4, NULL, $6, $7.src_os,
$7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
- 0, 0, 0);
+ 0, 0, 0, 0, 0);
}
| NATANCHOR string interface af proto fromto {
struct pf_rule r;
@@ -641,7 +649,7 @@
expand_rule(&r, $3, NULL, $5, $6.src_os,
$6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
- 0, 0, 0);
+ 0, 0, 0, 0, 0);
}
| RDRANCHOR string interface af proto fromto {
struct pf_rule r;
@@ -682,7 +690,7 @@
expand_rule(&r, $3, NULL, $5, $6.src_os,
$6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
- 0, 0, 0);
+ 0, 0, 0, 0, 0);
}
| BINATANCHOR string interface af proto fromto {
struct pf_rule r;
@@ -800,7 +808,7 @@
expand_rule(&r, $4, NULL, $6, $7.src_os,
$7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
- NULL, NULL, NULL);
+ NULL, NULL, NULL, NULL, NULL);
}
;
@@ -916,7 +924,8 @@
if (h != NULL)
expand_rule(&r, j, NULL, NULL, NULL, h,
- NULL, NULL, NULL, NULL, NULL, NULL);
+ NULL, NULL, NULL, NULL, NULL, NULL
+ NULL, NULL);
if ((i->ifa_flags & IFF_LOOPBACK) == 0) {
bzero(&r, sizeof(r));
@@ -932,7 +941,8 @@
if (h != NULL)
expand_rule(&r, NULL, NULL,
NULL, NULL, h, NULL, NULL,
- NULL, NULL, NULL, NULL);
+ NULL, NULL, NULL, NULL
+ NULL, NULL);
}
}
free($5.label);
@@ -1701,7 +1711,7 @@
expand_rule(&r, $4, $5.host, $7, $8.src_os,
$8.src.host, $8.src.port, $8.dst.host, $8.dst.port,
- $9.uid, $9.gid, $9.icmpspec);
+ $9.uid, $9.gid, $9.icmpspec, $9.ruid, $9.rgid);
}
;
@@ -1728,6 +1738,16 @@
$2->tail->next = filter_opts.gid;
filter_opts.gid = $2;
}
+ | RUSER ruids {
+ if (filter_opts.ruid)
+ $2->tail->next = filter_opts.ruid;
+ filter_opts.ruid = $2;
+ }
+ | RGROUP rgids {
+ if (filter_opts.rgid)
+ $2->tail->next = filter_opts.rgid;
+ filter_opts.rgid = $2;
+ }
| flags {
if (filter_opts.marker & FOM_FLAGS) {
yyerror("flags cannot be redefined");
@@ -2307,6 +2327,9 @@
| '{' uid_list '}' { $$ = $2; }
;
+ruids : uid_item { $$ = $1; }
+ | '{' uid_list '}' { $$ = $2; }
+
uid_list : uid_item { $$ = $1; }
| uid_list comma uid_item {
$1->tail->next = $3;
@@ -2389,6 +2412,10 @@
| '{' gid_list '}' { $$ = $2; }
;
+rgids : gid_item { $$ = $1; }
+ | '{' gid_list '}' ( $$ = $2; }
+ ;
+
gid_list : gid_item { $$ = $1; }
| gid_list comma gid_item {
$1->tail->next = $3;
@@ -3151,7 +3178,7 @@
expand_rule(&r, $2, $7 == NULL ? NULL : $7->host, $4,
$5.src_os, $5.src.host, $5.src.port, $5.dst.host,
- $5.dst.port, 0, 0, 0);
+ $5.dst.port, 0, 0, 0, 0, 0);
free($7);
}
;
@@ -4098,7 +4125,8 @@
struct node_proto *protos, struct node_os *src_oses,
struct node_host *src_hosts, struct node_port *src_ports,
struct node_host *dst_hosts, struct node_port *dst_ports,
- struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types)
+ struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types,
+ struct node_uid *ruids, struct node_gid *gids)
{
sa_family_t af = r->af;
int added = 0, error = 0;
@@ -4131,6 +4159,8 @@
LOOP_THROUGH(struct node_port, dst_port, dst_ports,
LOOP_THROUGH(struct node_uid, uid, uids,
LOOP_THROUGH(struct node_gid, gid, gids,
+ LOOP_THROUGH(struct node_uid, ruid, ruids,
+ LOOP_THROUGH(struct node_gid, rgid, rgids,
r->af = af;
/* for link-local IPv6 address, interface must match up */
@@ -4197,6 +4227,12 @@
r->gid.op = gid->op;
r->gid.gid[0] = gid->gid[0];
r->gid.gid[1] = gid->gid[1];
+ r->ruid.op = ruid->op;
+ r->ruid.uid[0] = ruid->uid[0];
+ r->ruid.uid[1] = ruid->uid[1];
+ r->rgid.op = rgid->op;
+ r->rgid.gid[0] = rgid->gid[0];
+ r->rgid.gid[1] = rgid->gid[1];
r->type = icmp_type->type;
r->code = icmp_type->code;
@@ -4254,7 +4290,7 @@
added++;
}
- ))))))))));
+ ))))))))))));
FREE_LIST(struct node_if, interfaces);
FREE_LIST(struct node_proto, protos);
@@ -4265,6 +4301,8 @@
FREE_LIST(struct node_port, dst_ports);
FREE_LIST(struct node_uid, uids);
FREE_LIST(struct node_gid, gids);
+ FREE_LIST(struct node_uid, ruids);
+ FREE_LIST(struct node_gid, rgids);
FREE_LIST(struct node_icmp, icmp_types);
FREE_LIST(struct node_host, rpool_hosts);
@@ -4380,9 +4418,11 @@
{ "return-icmp", RETURNICMP},
{ "return-icmp6", RETURNICMP6},
{ "return-rst", RETURNRST},
+ { "rgroup", RGROUP},
{ "round-robin", ROUNDROBIN},
{ "route-to", ROUTETO},
{ "rule", RULE},
+ { "ruser", RUSER},
{ "scrub", SCRUB},
{ "set", SET},
{ "source-hash", SOURCEHASH},
diff -urN usr.sbin/pfctl/pfctl_parser.c /root/pfctl/pfctl_parser.c
--- usr.sbin/pfctl/pfctl_parser.c 2004-09-21 23:25:28.000000000 +0200
+++ /root/pfctl/pfctl_parser.c 2005-02-28 14:19:38.000000000 +0100
@@ -745,6 +745,12 @@
if (r->gid.op)
print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group",
GID_MAX);
+ if (r->ruid.op)
+ print_ugid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1], "ruser",
+ UID_MAX);
+ if (r->rgid.op)
+ print_ugid(r->rgid.op, r->rgid.gid[0], r->rgid.gid[1], "rgroup",
+ GID_MAX);
if (r->flags || r->flagset) {
printf(" flags ");
print_flags(r->flags);
diff -urN sys/net/pf/pf.c /root/pf/pf.c
--- sys/net/pf/pf.c 2005-02-11 23:25:57.000000000 +0100
+++ /root/pf/pf.c 2005-02-28 14:30:13.000000000 +0100
@@ -204,7 +204,7 @@
struct ifnet *, struct pf_state *);
void pf_route6(struct mbuf **, struct pf_rule *, int,
struct ifnet *, struct pf_state *);
-int pf_socket_lookup(uid_t *, gid_t *,
+int pf_socket_lookup(uid_t *, gid_t *, uid_t *, gid_t *,
int, struct pf_pdesc *);
u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t,
sa_family_t);
@@ -2186,7 +2186,8 @@
#endif /* SMP */
int
-pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd)
+pf_socket_lookup(uid_t *uid, gid_t *gid, uid_t *ruid, gid_t *rgid,
+ int direction, struct pf_pdesc *pd)
{
struct pf_addr *saddr, *daddr;
u_int16_t sport, dport;
@@ -2199,6 +2200,8 @@
*uid = UID_MAX;
*gid = GID_MAX;
+ *ruid = UID_MAX;
+ *rgid = GID_MAX;
if (direction == PF_IN) {
saddr = pd->src;
daddr = pd->dst;
@@ -2298,6 +2301,8 @@
}
*uid = inp->inp_socket->so_cred->cr_uid;
*gid = inp->inp_socket->so_cred->cr_groups[0];
+ *ruid = inp->inp_socket->so_cred->cr_ruid;
+ *rgid = inp->inp_socket->so_cred->cr_rgid;
return (1);
}
@@ -2467,8 +2472,8 @@
u_int16_t bport, nport = 0;
sa_family_t af = pd->af;
int lookup = -1;
- uid_t uid;
- gid_t gid;
+ uid_t uid, ruid;
+ gid_t gid, rgid;
struct pf_rule *r, *a = NULL;
struct pf_ruleset *ruleset = NULL;
struct pf_src_node *nsn = NULL;
@@ -2537,15 +2542,29 @@
else if ((r->flagset & th->th_flags) != r->flags)
r = TAILQ_NEXT(r, entries);
else if (r->uid.op && (lookup != -1 || (lookup =
- pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
+ pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+ pd), 1)) &&
!pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
uid))
r = TAILQ_NEXT(r, entries);
+ else if (r->ruid.op && (lookup != -1 || (lookup =
+ pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+ pd, inp), 1)) &&
+ !pf_match_uid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1],
+ ruid))
+ r = TAILQ_NEXT(r, entries);
else if (r->gid.op && (lookup != -1 || (lookup =
- pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
+ pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+ pd), 1)) &&
!pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
gid))
r = TAILQ_NEXT(r, entries);
+ else if (r->rgid.op && (lookup != -1 || (lookup =
+ pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+ pd, inp), 1)) &&
+ !pf_match_gid(r->rgid.op, r->rgid.gid[0], r->rgid.gid[1],
+ rgid))
+ r = TAILQ_NEXT(r, entries);
else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
r = TAILQ_NEXT(r, entries);
else if (r->anchorname[0] && r->anchor == NULL)
@@ -2818,8 +2837,8 @@
u_int16_t bport, nport = 0;
sa_family_t af = pd->af;
int lookup = -1;
- uid_t uid;
- gid_t gid;
+ uid_t uid, ruid;
+ gid_t gid, rgid;
struct pf_rule *r, *a = NULL;
struct pf_ruleset *ruleset = NULL;
struct pf_src_node *nsn = NULL;
@@ -2885,15 +2904,29 @@
else if (r->rule_flag & PFRULE_FRAGMENT)
r = TAILQ_NEXT(r, entries);
else if (r->uid.op && (lookup != -1 || (lookup =
- pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
+ pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+ pd), 1)) &&
!pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
uid))
r = TAILQ_NEXT(r, entries);
+ else if (r->ruid.op && (lookup != -1 || (lookup =
+ pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+ pd, inp), 1)) &&
+ !pf_match_uid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1],
+ ruid))
+ r = TAILQ_NEXT(r, entries);
else if (r->gid.op && (lookup != -1 || (lookup =
- pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
+ pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+ pd), 1)) &&
!pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
gid))
r = TAILQ_NEXT(r, entries);
+ else if (r->rgid.op && (lookup != -1 || (lookup =
+ pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+ pd, inp), 1)) &&
+ !pf_match_gid(r->rgid.op, r->rgid.gid[0], r->rgid.gid[1],
+ rgid))
+ r = TAILQ_NEXT(r, entries);
else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
r = TAILQ_NEXT(r, entries);
else if (r->anchorname[0] && r->anchor == NULL)
diff -urN sys/net/pf/pfvar.h /root/pf/pfvar.h
--- sys/net/pf/pfvar.h 2005-02-11 23:25:57.000000000 +0100
+++ /root/pf/pfvar.h 2005-02-28 14:30:35.000000000 +0100
@@ -560,6 +560,8 @@
struct pf_rule_uid uid;
struct pf_rule_gid gid;
+ struct pf_rule_uid ruid;
+ struct pf_rule_gid rgid;
u_int32_t rule_flag;
u_int8_t action;
[
Date Prev][
Date Next]
[
Thread Prev][Thread Next]
[
Date Index][
Thread Index]
