看板 DFBSD_submit 關於我們 聯絡資訊
發信人"Devon H. O'Dell" <dodell@sitetronics.com>,
看板DFBSD_submit
標 題Add support to PF for ruid/rgid checking
發信站(null) (Tue Mar 1 01:50:38 2005)
轉信站ptt!crater_reader.dragonflybsd.org!crater.dragonflybsd.org!127.0.0.1.M
--=-oJUynkqSFgltOrFh5416 Content-Type: text/plain Content-Transfer-Encoding: 7bit It's a useful thing to have! This is a port of the patch provided by Maxime Henrion <mux@FreeBSD.org>. His patch is available at http://mu.org/~mux/patches/pf.patch Enjoy, Devon --=-oJUynkqSFgltOrFh5416 Content-Disposition: attachment; filename=pf.diff Content-Type: text/x-patch; name=pf.diff; charset=UTF-8 Content-Transfer-Encoding: 7bit diff -urN usr.sbin/pfctl/parse.y /root/pfctl/parse.y --- usr.sbin/pfctl/parse.y 2005-02-11 23:31:45.000000000 +0100 +++ /root/pfctl/parse.y 2005-02-28 14:19:03.000000000 +0100 @@ -168,6 +168,8 @@ #define FOM_SRCTRACK 0x10 struct node_uid *uid; struct node_gid *gid; + struct node_uid *ruid; + struct node_gid *rgid struct { u_int8_t b1; u_int8_t b2; @@ -262,7 +264,8 @@ void expand_rule(struct pf_rule *, struct node_if *, struct node_host *, struct node_proto *, struct node_os*, struct node_host *, struct node_port *, struct node_host *, struct node_port *, - struct node_uid *, struct node_gid *, struct node_icmp *); + struct node_uid *, struct node_gid *, struct node_icmp *, + struct node_uid *, struct node_gid *); int expand_altq(struct pf_altq *, struct node_if *, struct node_queue *, struct node_queue_bw bwspec, struct node_queue_opt *); int expand_queue(struct pf_altq *, struct node_if *, struct node_queue *, @@ -331,6 +334,8 @@ struct node_port *port; struct node_uid *uid; struct node_gid *gid; + struct node_uid *ruid; + struct node_gid *rgid; struct node_state_opt *state_opt; struct peer peer; struct { @@ -407,6 +412,7 @@ %token LOAD %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE %token TAGGED TAG IFBOUND GRBOUND FLOATING STATEPOLICY +%token RUSER RGROUP %token <v.string> STRING %token <v.i> PORTBINARY %type <v.interface> interface if_list if_item_not if_item @@ -430,6 +436,8 @@ %type <v.port> portspec port_list port_item %type <v.uid> uids uid_list uid_item %type <v.gid> gids gid_list gid_item +%type <v.ruid> ruids +%type <v.rgid> rgids %type <v.route> route %type <v.redirection> redirection redirpool %type <v.string> label string tag @@ -621,7 +629,7 @@ expand_rule(&r, $4, NULL, $6, $7.src_os, $7.src.host, $7.src.port, $7.dst.host, $7.dst.port, - 0, 0, 0); + 0, 0, 0, 0, 0); } | NATANCHOR string interface af proto fromto { struct pf_rule r; @@ -641,7 +649,7 @@ expand_rule(&r, $3, NULL, $5, $6.src_os, $6.src.host, $6.src.port, $6.dst.host, $6.dst.port, - 0, 0, 0); + 0, 0, 0, 0, 0); } | RDRANCHOR string interface af proto fromto { struct pf_rule r; @@ -682,7 +690,7 @@ expand_rule(&r, $3, NULL, $5, $6.src_os, $6.src.host, $6.src.port, $6.dst.host, $6.dst.port, - 0, 0, 0); + 0, 0, 0, 0, 0); } | BINATANCHOR string interface af proto fromto { struct pf_rule r; @@ -800,7 +808,7 @@ expand_rule(&r, $4, NULL, $6, $7.src_os, $7.src.host, $7.src.port, $7.dst.host, $7.dst.port, - NULL, NULL, NULL); + NULL, NULL, NULL, NULL, NULL); } ; @@ -916,7 +924,8 @@ if (h != NULL) expand_rule(&r, j, NULL, NULL, NULL, h, - NULL, NULL, NULL, NULL, NULL, NULL); + NULL, NULL, NULL, NULL, NULL, NULL + NULL, NULL); if ((i->ifa_flags & IFF_LOOPBACK) == 0) { bzero(&r, sizeof(r)); @@ -932,7 +941,8 @@ if (h != NULL) expand_rule(&r, NULL, NULL, NULL, NULL, h, NULL, NULL, - NULL, NULL, NULL, NULL); + NULL, NULL, NULL, NULL + NULL, NULL); } } free($5.label); @@ -1701,7 +1711,7 @@ expand_rule(&r, $4, $5.host, $7, $8.src_os, $8.src.host, $8.src.port, $8.dst.host, $8.dst.port, - $9.uid, $9.gid, $9.icmpspec); + $9.uid, $9.gid, $9.icmpspec, $9.ruid, $9.rgid); } ; @@ -1728,6 +1738,16 @@ $2->tail->next = filter_opts.gid; filter_opts.gid = $2; } + | RUSER ruids { + if (filter_opts.ruid) + $2->tail->next = filter_opts.ruid; + filter_opts.ruid = $2; + } + | RGROUP rgids { + if (filter_opts.rgid) + $2->tail->next = filter_opts.rgid; + filter_opts.rgid = $2; + } | flags { if (filter_opts.marker & FOM_FLAGS) { yyerror("flags cannot be redefined"); @@ -2307,6 +2327,9 @@ | '{' uid_list '}' { $$ = $2; } ; +ruids : uid_item { $$ = $1; } + | '{' uid_list '}' { $$ = $2; } + uid_list : uid_item { $$ = $1; } | uid_list comma uid_item { $1->tail->next = $3; @@ -2389,6 +2412,10 @@ | '{' gid_list '}' { $$ = $2; } ; +rgids : gid_item { $$ = $1; } + | '{' gid_list '}' ( $$ = $2; } + ; + gid_list : gid_item { $$ = $1; } | gid_list comma gid_item { $1->tail->next = $3; @@ -3151,7 +3178,7 @@ expand_rule(&r, $2, $7 == NULL ? NULL : $7->host, $4, $5.src_os, $5.src.host, $5.src.port, $5.dst.host, - $5.dst.port, 0, 0, 0); + $5.dst.port, 0, 0, 0, 0, 0); free($7); } ; @@ -4098,7 +4125,8 @@ struct node_proto *protos, struct node_os *src_oses, struct node_host *src_hosts, struct node_port *src_ports, struct node_host *dst_hosts, struct node_port *dst_ports, - struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types) + struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types, + struct node_uid *ruids, struct node_gid *gids) { sa_family_t af = r->af; int added = 0, error = 0; @@ -4131,6 +4159,8 @@ LOOP_THROUGH(struct node_port, dst_port, dst_ports, LOOP_THROUGH(struct node_uid, uid, uids, LOOP_THROUGH(struct node_gid, gid, gids, + LOOP_THROUGH(struct node_uid, ruid, ruids, + LOOP_THROUGH(struct node_gid, rgid, rgids, r->af = af; /* for link-local IPv6 address, interface must match up */ @@ -4197,6 +4227,12 @@ r->gid.op = gid->op; r->gid.gid[0] = gid->gid[0]; r->gid.gid[1] = gid->gid[1]; + r->ruid.op = ruid->op; + r->ruid.uid[0] = ruid->uid[0]; + r->ruid.uid[1] = ruid->uid[1]; + r->rgid.op = rgid->op; + r->rgid.gid[0] = rgid->gid[0]; + r->rgid.gid[1] = rgid->gid[1]; r->type = icmp_type->type; r->code = icmp_type->code; @@ -4254,7 +4290,7 @@ added++; } - )))))))))); + )))))))))))); FREE_LIST(struct node_if, interfaces); FREE_LIST(struct node_proto, protos); @@ -4265,6 +4301,8 @@ FREE_LIST(struct node_port, dst_ports); FREE_LIST(struct node_uid, uids); FREE_LIST(struct node_gid, gids); + FREE_LIST(struct node_uid, ruids); + FREE_LIST(struct node_gid, rgids); FREE_LIST(struct node_icmp, icmp_types); FREE_LIST(struct node_host, rpool_hosts); @@ -4380,9 +4418,11 @@ { "return-icmp", RETURNICMP}, { "return-icmp6", RETURNICMP6}, { "return-rst", RETURNRST}, + { "rgroup", RGROUP}, { "round-robin", ROUNDROBIN}, { "route-to", ROUTETO}, { "rule", RULE}, + { "ruser", RUSER}, { "scrub", SCRUB}, { "set", SET}, { "source-hash", SOURCEHASH}, diff -urN usr.sbin/pfctl/pfctl_parser.c /root/pfctl/pfctl_parser.c --- usr.sbin/pfctl/pfctl_parser.c 2004-09-21 23:25:28.000000000 +0200 +++ /root/pfctl/pfctl_parser.c 2005-02-28 14:19:38.000000000 +0100 @@ -745,6 +745,12 @@ if (r->gid.op) print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group", GID_MAX); + if (r->ruid.op) + print_ugid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1], "ruser", + UID_MAX); + if (r->rgid.op) + print_ugid(r->rgid.op, r->rgid.gid[0], r->rgid.gid[1], "rgroup", + GID_MAX); if (r->flags || r->flagset) { printf(" flags "); print_flags(r->flags); diff -urN sys/net/pf/pf.c /root/pf/pf.c --- sys/net/pf/pf.c 2005-02-11 23:25:57.000000000 +0100 +++ /root/pf/pf.c 2005-02-28 14:30:13.000000000 +0100 @@ -204,7 +204,7 @@ struct ifnet *, struct pf_state *); void pf_route6(struct mbuf **, struct pf_rule *, int, struct ifnet *, struct pf_state *); -int pf_socket_lookup(uid_t *, gid_t *, +int pf_socket_lookup(uid_t *, gid_t *, uid_t *, gid_t *, int, struct pf_pdesc *); u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, sa_family_t); @@ -2186,7 +2186,8 @@ #endif /* SMP */ int -pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd) +pf_socket_lookup(uid_t *uid, gid_t *gid, uid_t *ruid, gid_t *rgid, + int direction, struct pf_pdesc *pd) { struct pf_addr *saddr, *daddr; u_int16_t sport, dport; @@ -2199,6 +2200,8 @@ *uid = UID_MAX; *gid = GID_MAX; + *ruid = UID_MAX; + *rgid = GID_MAX; if (direction == PF_IN) { saddr = pd->src; daddr = pd->dst; @@ -2298,6 +2301,8 @@ } *uid = inp->inp_socket->so_cred->cr_uid; *gid = inp->inp_socket->so_cred->cr_groups[0]; + *ruid = inp->inp_socket->so_cred->cr_ruid; + *rgid = inp->inp_socket->so_cred->cr_rgid; return (1); } @@ -2467,8 +2472,8 @@ u_int16_t bport, nport = 0; sa_family_t af = pd->af; int lookup = -1; - uid_t uid; - gid_t gid; + uid_t uid, ruid; + gid_t gid, rgid; struct pf_rule *r, *a = NULL; struct pf_ruleset *ruleset = NULL; struct pf_src_node *nsn = NULL; @@ -2537,15 +2542,29 @@ else if ((r->flagset & th->th_flags) != r->flags) r = TAILQ_NEXT(r, entries); else if (r->uid.op && (lookup != -1 || (lookup = - pf_socket_lookup(&uid, &gid, direction, pd), 1)) && + pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, + pd), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], uid)) r = TAILQ_NEXT(r, entries); + else if (r->ruid.op && (lookup != -1 || (lookup = + pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, + pd, inp), 1)) && + !pf_match_uid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1], + ruid)) + r = TAILQ_NEXT(r, entries); else if (r->gid.op && (lookup != -1 || (lookup = - pf_socket_lookup(&uid, &gid, direction, pd), 1)) && + pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, + pd), 1)) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], gid)) r = TAILQ_NEXT(r, entries); + else if (r->rgid.op && (lookup != -1 || (lookup = + pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, + pd, inp), 1)) && + !pf_match_gid(r->rgid.op, r->rgid.gid[0], r->rgid.gid[1], + rgid)) + r = TAILQ_NEXT(r, entries); else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) r = TAILQ_NEXT(r, entries); else if (r->anchorname[0] && r->anchor == NULL) @@ -2818,8 +2837,8 @@ u_int16_t bport, nport = 0; sa_family_t af = pd->af; int lookup = -1; - uid_t uid; - gid_t gid; + uid_t uid, ruid; + gid_t gid, rgid; struct pf_rule *r, *a = NULL; struct pf_ruleset *ruleset = NULL; struct pf_src_node *nsn = NULL; @@ -2885,15 +2904,29 @@ else if (r->rule_flag & PFRULE_FRAGMENT) r = TAILQ_NEXT(r, entries); else if (r->uid.op && (lookup != -1 || (lookup = - pf_socket_lookup(&uid, &gid, direction, pd), 1)) && + pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, + pd), 1)) && !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1], uid)) r = TAILQ_NEXT(r, entries); + else if (r->ruid.op && (lookup != -1 || (lookup = + pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, + pd, inp), 1)) && + !pf_match_uid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1], + ruid)) + r = TAILQ_NEXT(r, entries); else if (r->gid.op && (lookup != -1 || (lookup = - pf_socket_lookup(&uid, &gid, direction, pd), 1)) && + pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, + pd), 1)) && !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1], gid)) r = TAILQ_NEXT(r, entries); + else if (r->rgid.op && (lookup != -1 || (lookup = + pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, + pd, inp), 1)) && + !pf_match_gid(r->rgid.op, r->rgid.gid[0], r->rgid.gid[1], + rgid)) + r = TAILQ_NEXT(r, entries); else if (r->match_tag && !pf_match_tag(m, r, nr, &tag)) r = TAILQ_NEXT(r, entries); else if (r->anchorname[0] && r->anchor == NULL) diff -urN sys/net/pf/pfvar.h /root/pf/pfvar.h --- sys/net/pf/pfvar.h 2005-02-11 23:25:57.000000000 +0100 +++ /root/pf/pfvar.h 2005-02-28 14:30:35.000000000 +0100 @@ -560,6 +560,8 @@ struct pf_rule_uid uid; struct pf_rule_gid gid; + struct pf_rule_uid ruid; + struct pf_rule_gid rgid; u_int32_t rule_flag; u_int8_t action; --=-oJUynkqSFgltOrFh5416--