git.kernel.dk Git - linux-2.6-block.git/commit

author	Eric W. Biederman <ebiederm@xmission.com>
	Fri, 25 May 2012 19:49:36 +0000 (13:49 -0600)
committer	Eric W. Biederman <ebiederm@xmission.com>
	Wed, 15 Aug 2012 04:55:28 +0000 (21:55 -0700)
commit	a6c6796c7127de55cfa9bb0cfbb082ec0acd4eab
tree	6723b8c4c3c2ca58e1988e72191468e51299f2a1	tree \| snapshot
parent	af4c6641f5ad445fe6d0832da42406dbd9a37ce4	commit \| diff

userns: Convert cls_flow to work with user namespaces enabled

The flow classifier can use uids and gids of the sockets that
are transmitting packets and do insert those uids and gids
into the packet classification calcuation. I don't fully
understand the details but it appears that we can depend
on specific uids and gids when making traffic classification
decisions.

To work with user namespaces enabled map from kuids and kgids
into uids and gids in the initial user namespace giving raw
integer values the code can play with and depend on.

To avoid issues of userspace depending on uids and gids in
packet classifiers installed from other user namespaces
and getting confused deny all packet classifiers that
use uids or gids that are not comming from a netlink socket
in the initial user namespace.

Cc: Patrick McHardy <kaber@trash.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Changli Gao <xiaosuo@gmail.com>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

init/Kconfig		diff \| blob \| blame \| history
net/sched/cls_flow.c		diff \| blob \| blame \| history