git.baikalelectronics.ru Git - kernel.git/commit

author	Guillaume Nault <gnault@redhat.com>
	Thu, 13 Oct 2022 14:37:47 +0000 (16:37 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 19 Oct 2022 06:46:48 +0000 (08:46 +0200)
commit	7157495ab36d66e6559006d5560edf4e1f1b0acf
tree	8dcb7515e4d412cc7787785dcdcb1339f0f2d7c7	tree \| snapshot
parent	fd0334117c3f1d46c138a50606a8189df9a33c77	commit \| diff

netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.

Currently netfilter's rpfilter and fib modules implicitely initialise
->flowic_uid with 0. This is normally the root UID. However, this isn't
the case in user namespaces, where user ID 0 is mapped to a different
kernel UID. By initialising ->flowic_uid with sock_net_uid(), we get
the root UID of the user namespace, thus keeping the same behaviour
whether or not we're running in a user namepspace.

Note, this is similar to commit acab0a06e1e1 ("ipv4: add missing
initialization for flowi4_uid"), which fixed the rp_filter sysctl.

Fixes: 69eb6bffc817 ("net: core: add UID to flows, rules, and routes")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter/ipt_rpfilter.c		diff \| blob \| history
net/ipv4/netfilter/nft_fib_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/ip6t_rpfilter.c		diff \| blob \| history
net/ipv6/netfilter/nft_fib_ipv6.c		diff \| blob \| history