summaryrefslogtreecommitdiff
path: root/extensions/libxt_owner.c
diff options
context:
space:
mode:
Diffstat (limited to 'extensions/libxt_owner.c')
-rw-r--r--extensions/libxt_owner.c614
1 files changed, 614 insertions, 0 deletions
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
new file mode 100644
index 0000000..b595d97
--- /dev/null
+++ b/extensions/libxt_owner.c
@@ -0,0 +1,614 @@
+/*
+ * libxt_owner - iptables addon for xt_owner
+ *
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <getopt.h>
+#include <grp.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+
+#include <xtables.h>
+#include <linux/netfilter/xt_owner.h>
+
+/* match and invert flags */
+enum {
+ IPT_OWNER_UID = 0x01,
+ IPT_OWNER_GID = 0x02,
+ IPT_OWNER_PID = 0x04,
+ IPT_OWNER_SID = 0x08,
+ IPT_OWNER_COMM = 0x10,
+ IP6T_OWNER_UID = IPT_OWNER_UID,
+ IP6T_OWNER_GID = IPT_OWNER_GID,
+ IP6T_OWNER_PID = IPT_OWNER_PID,
+ IP6T_OWNER_SID = IPT_OWNER_SID,
+ IP6T_OWNER_COMM = IPT_OWNER_COMM,
+};
+
+struct ipt_owner_info {
+ uid_t uid;
+ gid_t gid;
+ pid_t pid;
+ pid_t sid;
+ char comm[16];
+ u_int8_t match, invert; /* flags */
+};
+
+struct ip6t_owner_info {
+ uid_t uid;
+ gid_t gid;
+ pid_t pid;
+ pid_t sid;
+ char comm[16];
+ u_int8_t match, invert; /* flags */
+};
+
+/*
+ * Note: "UINT32_MAX - 1" is used in the code because -1 is a reserved
+ * UID/GID value anyway.
+ */
+
+enum {
+ FLAG_UID_OWNER = 1 << 0,
+ FLAG_GID_OWNER = 1 << 1,
+ FLAG_SOCKET_EXISTS = 1 << 2,
+ FLAG_PID_OWNER = 1 << 3,
+ FLAG_SID_OWNER = 1 << 4,
+ FLAG_COMM = 1 << 5,
+};
+
+static void owner_mt_help_v0(void)
+{
+#ifdef IPT_OWNER_COMM
+ printf(
+"owner match options:\n"
+"[!] --uid-owner userid Match local UID\n"
+"[!] --gid-owner groupid Match local GID\n"
+"[!] --pid-owner processid Match local PID\n"
+"[!] --sid-owner sessionid Match local SID\n"
+"[!] --cmd-owner name Match local command name\n"
+"NOTE: PID, SID and command matching are broken on SMP\n");
+#else
+ printf(
+"owner match options:\n"
+"[!] --uid-owner userid Match local UID\n"
+"[!] --gid-owner groupid Match local GID\n"
+"[!] --pid-owner processid Match local PID\n"
+"[!] --sid-owner sessionid Match local SID\n"
+"NOTE: PID and SID matching are broken on SMP\n");
+#endif /* IPT_OWNER_COMM */
+}
+
+static void owner_mt6_help_v0(void)
+{
+ printf(
+"owner match options:\n"
+"[!] --uid-owner userid Match local UID\n"
+"[!] --gid-owner groupid Match local GID\n"
+"[!] --pid-owner processid Match local PID\n"
+"[!] --sid-owner sessionid Match local SID\n"
+"NOTE: PID and SID matching are broken on SMP\n");
+}
+
+static void owner_mt_help(void)
+{
+ printf(
+"owner match options:\n"
+"[!] --uid-owner userid[-userid] Match local UID\n"
+"[!] --gid-owner groupid[-groupid] Match local GID\n"
+"[!] --socket-exists Match if socket exists\n");
+}
+
+static const struct option owner_mt_opts_v0[] = {
+ {.name = "uid-owner", .has_arg = true, .val = 'u'},
+ {.name = "gid-owner", .has_arg = true, .val = 'g'},
+ {.name = "pid-owner", .has_arg = true, .val = 'p'},
+ {.name = "sid-owner", .has_arg = true, .val = 's'},
+#ifdef IPT_OWNER_COMM
+ {.name = "cmd-owner", .has_arg = true, .val = 'c'},
+#endif
+ { .name = NULL }
+};
+
+static const struct option owner_mt6_opts_v0[] = {
+ {.name = "uid-owner", .has_arg = true, .val = 'u'},
+ {.name = "gid-owner", .has_arg = true, .val = 'g'},
+ {.name = "pid-owner", .has_arg = true, .val = 'p'},
+ {.name = "sid-owner", .has_arg = true, .val = 's'},
+ { .name = NULL }
+};
+
+static const struct option owner_mt_opts[] = {
+ {.name = "uid-owner", .has_arg = true, .val = 'u'},
+ {.name = "gid-owner", .has_arg = true, .val = 'g'},
+ {.name = "socket-exists", .has_arg = false, .val = 'k'},
+ { .name = NULL }
+};
+
+static int
+owner_mt_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ipt_owner_info *info = (void *)(*match)->data;
+ struct passwd *pwd;
+ struct group *grp;
+ unsigned int id;
+
+ switch (c) {
+ case 'u':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--uid-owner", *flags & FLAG_UID_OWNER);
+ if ((pwd = getpwnam(optarg)) != NULL)
+ id = pwd->pw_uid;
+ else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--uid-owner", optarg);
+ if (invert)
+ info->invert |= IPT_OWNER_UID;
+ info->match |= IPT_OWNER_UID;
+ info->uid = id;
+ *flags |= FLAG_UID_OWNER;
+ return true;
+
+ case 'g':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--gid-owner", *flags & FLAG_GID_OWNER);
+ if ((grp = getgrnam(optarg)) != NULL)
+ id = grp->gr_gid;
+ else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--gid-owner", optarg);
+ if (invert)
+ info->invert |= IPT_OWNER_GID;
+ info->match |= IPT_OWNER_GID;
+ info->gid = id;
+ *flags |= FLAG_GID_OWNER;
+ return true;
+
+ case 'p':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--pid-owner", *flags & FLAG_PID_OWNER);
+ if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--pid-owner", optarg);
+ if (invert)
+ info->invert |= IPT_OWNER_PID;
+ info->match |= IPT_OWNER_PID;
+ info->pid = id;
+ *flags |= FLAG_PID_OWNER;
+ return true;
+
+ case 's':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--sid-owner", *flags & FLAG_SID_OWNER);
+ if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--sid-value", optarg);
+ if (invert)
+ info->invert |= IPT_OWNER_SID;
+ info->match |= IPT_OWNER_SID;
+ info->sid = id;
+ *flags |= FLAG_SID_OWNER;
+ return true;
+
+#ifdef IPT_OWNER_COMM
+ case 'c':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--cmd-owner", *flags & FLAG_COMM);
+ if (strlen(optarg) > sizeof(info->comm))
+ xtables_error(PARAMETER_PROBLEM, "owner match: command "
+ "\"%s\" too long, max. %zu characters",
+ optarg, sizeof(info->comm));
+
+ info->comm[sizeof(info->comm)-1] = '\0';
+ strncpy(info->comm, optarg, sizeof(info->comm));
+
+ if (invert)
+ info->invert |= IPT_OWNER_COMM;
+ info->match |= IPT_OWNER_COMM;
+ *flags |= FLAG_COMM;
+ return true;
+#endif
+ }
+ return false;
+}
+
+static int
+owner_mt6_parse_v0(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct ip6t_owner_info *info = (void *)(*match)->data;
+ struct passwd *pwd;
+ struct group *grp;
+ unsigned int id;
+
+ switch (c) {
+ case 'u':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--uid-owner",
+ *flags & FLAG_UID_OWNER);
+ if ((pwd = getpwnam(optarg)) != NULL)
+ id = pwd->pw_uid;
+ else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--uid-owner", optarg);
+ if (invert)
+ info->invert |= IP6T_OWNER_UID;
+ info->match |= IP6T_OWNER_UID;
+ info->uid = id;
+ *flags |= FLAG_UID_OWNER;
+ return true;
+
+ case 'g':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--gid-owner",
+ *flags & FLAG_GID_OWNER);
+ if ((grp = getgrnam(optarg)) != NULL)
+ id = grp->gr_gid;
+ else if (!xtables_strtoui(optarg, NULL, &id, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--gid-owner", optarg);
+ if (invert)
+ info->invert |= IP6T_OWNER_GID;
+ info->match |= IP6T_OWNER_GID;
+ info->gid = id;
+ *flags |= FLAG_GID_OWNER;
+ return true;
+
+ case 'p':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--pid-owner",
+ *flags & FLAG_PID_OWNER);
+ if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--pid-owner", optarg);
+ if (invert)
+ info->invert |= IP6T_OWNER_PID;
+ info->match |= IP6T_OWNER_PID;
+ info->pid = id;
+ *flags |= FLAG_PID_OWNER;
+ return true;
+
+ case 's':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--sid-owner",
+ *flags & FLAG_SID_OWNER);
+ if (!xtables_strtoui(optarg, NULL, &id, 0, INT_MAX))
+ xtables_param_act(XTF_BAD_VALUE, "owner", "--sid-owner", optarg);
+ if (invert)
+ info->invert |= IP6T_OWNER_SID;
+ info->match |= IP6T_OWNER_SID;
+ info->sid = id;
+ *flags |= FLAG_SID_OWNER;
+ return true;
+ }
+ return false;
+}
+
+static void owner_parse_range(const char *s, unsigned int *from,
+ unsigned int *to, const char *opt)
+{
+ char *end;
+
+ /* -1 is reversed, so the max is one less than that. */
+ if (!xtables_strtoui(s, &end, from, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", opt, s);
+ *to = *from;
+ if (*end == '-' || *end == ':')
+ if (!xtables_strtoui(end + 1, &end, to, 0, UINT32_MAX - 1))
+ xtables_param_act(XTF_BAD_VALUE, "owner", opt, s);
+ if (*end != '\0')
+ xtables_param_act(XTF_BAD_VALUE, "owner", opt, s);
+}
+
+static int owner_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+{
+ struct xt_owner_match_info *info = (void *)(*match)->data;
+ struct passwd *pwd;
+ struct group *grp;
+ unsigned int from, to;
+
+ switch (c) {
+ case 'u':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--uid-owner",
+ *flags & FLAG_UID_OWNER);
+ if ((pwd = getpwnam(optarg)) != NULL)
+ from = to = pwd->pw_uid;
+ else
+ owner_parse_range(optarg, &from, &to, "--uid-owner");
+ if (invert)
+ info->invert |= XT_OWNER_UID;
+ info->match |= XT_OWNER_UID;
+ info->uid_min = from;
+ info->uid_max = to;
+ *flags |= FLAG_UID_OWNER;
+ return true;
+
+ case 'g':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--gid-owner",
+ *flags & FLAG_GID_OWNER);
+ if ((grp = getgrnam(optarg)) != NULL)
+ from = to = grp->gr_gid;
+ else
+ owner_parse_range(optarg, &from, &to, "--gid-owner");
+ if (invert)
+ info->invert |= XT_OWNER_GID;
+ info->match |= XT_OWNER_GID;
+ info->gid_min = from;
+ info->gid_max = to;
+ *flags |= FLAG_GID_OWNER;
+ return true;
+
+ case 'k':
+ xtables_param_act(XTF_ONLY_ONCE, "owner", "--socket-exists",
+ *flags & FLAG_SOCKET_EXISTS);
+ if (invert)
+ info->invert |= XT_OWNER_SOCKET;
+ info->match |= XT_OWNER_SOCKET;
+ *flags |= FLAG_SOCKET_EXISTS;
+ return true;
+
+ }
+ return false;
+}
+
+static void owner_mt_check(unsigned int flags)
+{
+ if (flags == 0)
+ xtables_error(PARAMETER_PROBLEM, "owner: At least one of "
+ "--uid-owner, --gid-owner or --socket-exists "
+ "is required");
+}
+
+static void
+owner_mt_print_item_v0(const struct ipt_owner_info *info, const char *label,
+ u_int8_t flag, bool numeric)
+{
+ if (!(info->match & flag))
+ return;
+ if (info->invert & flag)
+ printf("! ");
+ printf("%s ", label);
+
+ switch (info->match & flag) {
+ case IPT_OWNER_UID:
+ if (!numeric) {
+ struct passwd *pwd = getpwuid(info->uid);
+
+ if (pwd != NULL && pwd->pw_name != NULL) {
+ printf("%s ", pwd->pw_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->uid);
+ break;
+
+ case IPT_OWNER_GID:
+ if (!numeric) {
+ struct group *grp = getgrgid(info->gid);
+
+ if (grp != NULL && grp->gr_name != NULL) {
+ printf("%s ", grp->gr_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->gid);
+ break;
+
+ case IPT_OWNER_PID:
+ printf("%u ", (unsigned int)info->pid);
+ break;
+
+ case IPT_OWNER_SID:
+ printf("%u ", (unsigned int)info->sid);
+ break;
+
+#ifdef IPT_OWNER_COMM
+ case IPT_OWNER_COMM:
+ printf("%.*s ", (int)sizeof(info->comm), info->comm);
+ break;
+#endif
+ }
+}
+
+static void
+owner_mt6_print_item_v0(const struct ip6t_owner_info *info, const char *label,
+ u_int8_t flag, bool numeric)
+{
+ if (!(info->match & flag))
+ return;
+ if (info->invert & flag)
+ printf("! ");
+ printf("%s ", label);
+
+ switch (info->match & flag) {
+ case IP6T_OWNER_UID:
+ if (!numeric) {
+ struct passwd *pwd = getpwuid(info->uid);
+
+ if (pwd != NULL && pwd->pw_name != NULL) {
+ printf("%s ", pwd->pw_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->uid);
+ break;
+
+ case IP6T_OWNER_GID:
+ if (!numeric) {
+ struct group *grp = getgrgid(info->gid);
+
+ if (grp != NULL && grp->gr_name != NULL) {
+ printf("%s ", grp->gr_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->gid);
+ break;
+
+ case IP6T_OWNER_PID:
+ printf("%u ", (unsigned int)info->pid);
+ break;
+
+ case IP6T_OWNER_SID:
+ printf("%u ", (unsigned int)info->sid);
+ break;
+ }
+}
+
+static void
+owner_mt_print_item(const struct xt_owner_match_info *info, const char *label,
+ u_int8_t flag, bool numeric)
+{
+ if (!(info->match & flag))
+ return;
+ if (info->invert & flag)
+ printf("! ");
+ printf("%s ", label);
+
+ switch (info->match & flag) {
+ case XT_OWNER_UID:
+ if (info->uid_min != info->uid_max) {
+ printf("%u-%u ", (unsigned int)info->uid_min,
+ (unsigned int)info->uid_max);
+ break;
+ } else if (!numeric) {
+ const struct passwd *pwd = getpwuid(info->uid_min);
+
+ if (pwd != NULL && pwd->pw_name != NULL) {
+ printf("%s ", pwd->pw_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->uid_min);
+ break;
+
+ case XT_OWNER_GID:
+ if (info->gid_min != info->gid_max) {
+ printf("%u-%u ", (unsigned int)info->gid_min,
+ (unsigned int)info->gid_max);
+ break;
+ } else if (!numeric) {
+ const struct group *grp = getgrgid(info->gid_min);
+
+ if (grp != NULL && grp->gr_name != NULL) {
+ printf("%s ", grp->gr_name);
+ break;
+ }
+ }
+ printf("%u ", (unsigned int)info->gid_min);
+ break;
+ }
+}
+
+static void
+owner_mt_print_v0(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_owner_info *info = (void *)match->data;
+
+ owner_mt_print_item_v0(info, "owner UID match", IPT_OWNER_UID, numeric);
+ owner_mt_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric);
+ owner_mt_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
+ owner_mt_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
+#ifdef IPT_OWNER_COMM
+ owner_mt_print_item_v0(info, "owner CMD match", IPT_OWNER_COMM, numeric);
+#endif
+}
+
+static void
+owner_mt6_print_v0(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct ip6t_owner_info *info = (void *)match->data;
+
+ owner_mt6_print_item_v0(info, "owner UID match", IPT_OWNER_UID, numeric);
+ owner_mt6_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric);
+ owner_mt6_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
+ owner_mt6_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
+}
+
+static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ const struct xt_owner_match_info *info = (void *)match->data;
+
+ owner_mt_print_item(info, "owner socket exists", XT_OWNER_SOCKET, numeric);
+ owner_mt_print_item(info, "owner UID match", XT_OWNER_UID, numeric);
+ owner_mt_print_item(info, "owner GID match", XT_OWNER_GID, numeric);
+}
+
+static void
+owner_mt_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ipt_owner_info *info = (void *)match->data;
+
+ owner_mt_print_item_v0(info, "--uid-owner", IPT_OWNER_UID, true);
+ owner_mt_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true);
+ owner_mt_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
+ owner_mt_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
+#ifdef IPT_OWNER_COMM
+ owner_mt_print_item_v0(info, "--cmd-owner", IPT_OWNER_COMM, true);
+#endif
+}
+
+static void
+owner_mt6_save_v0(const void *ip, const struct xt_entry_match *match)
+{
+ const struct ip6t_owner_info *info = (void *)match->data;
+
+ owner_mt6_print_item_v0(info, "--uid-owner", IPT_OWNER_UID, true);
+ owner_mt6_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true);
+ owner_mt6_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
+ owner_mt6_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
+}
+
+static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+ const struct xt_owner_match_info *info = (void *)match->data;
+
+ owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, false);
+ owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, false);
+ owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, false);
+}
+
+static struct xtables_match owner_mt_reg[] = {
+ {
+ .version = XTABLES_VERSION,
+ .name = "owner",
+ .revision = 0,
+ .family = NFPROTO_IPV4,
+ .size = XT_ALIGN(sizeof(struct ipt_owner_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ipt_owner_info)),
+ .help = owner_mt_help_v0,
+ .parse = owner_mt_parse_v0,
+ .final_check = owner_mt_check,
+ .print = owner_mt_print_v0,
+ .save = owner_mt_save_v0,
+ .extra_opts = owner_mt_opts_v0,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "owner",
+ .revision = 0,
+ .family = NFPROTO_IPV6,
+ .size = XT_ALIGN(sizeof(struct ip6t_owner_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct ip6t_owner_info)),
+ .help = owner_mt6_help_v0,
+ .parse = owner_mt6_parse_v0,
+ .final_check = owner_mt_check,
+ .print = owner_mt6_print_v0,
+ .save = owner_mt6_save_v0,
+ .extra_opts = owner_mt6_opts_v0,
+ },
+ {
+ .version = XTABLES_VERSION,
+ .name = "owner",
+ .revision = 1,
+ .family = NFPROTO_UNSPEC,
+ .size = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_owner_match_info)),
+ .help = owner_mt_help,
+ .parse = owner_mt_parse,
+ .final_check = owner_mt_check,
+ .print = owner_mt_print,
+ .save = owner_mt_save,
+ .extra_opts = owner_mt_opts,
+ },
+};
+
+void _init(void)
+{
+ xtables_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
+}