shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-31 14:50:15 +03:00
Code

Merge pull request #14672 from yuwata/network-routing-policy-uidrange

Browse Source 
network: support UID based routing policy
This commit is contained in:
Yu Watanabe 2020-02-02 22:46:04 +09:00 committed by GitHub
commit 4e3132d6d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 164 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
man/systemd.network.xml
View File

@ -1084,6 +1084,13 @@
<literal>ipv4</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>User=</varname></term>
<listitem>
<para>Takes a username, a user ID, or a range of user IDs separated by a dash. Defaults to
unset.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

23
src/basic/user-util.c
View File

@ -62,6 +62,29 @@ int parse_uid(const char *s, uid_t *ret) {
return 0;
}
int parse_uid_range(const char *s, uid_t *ret_lower, uid_t *ret_upper) {
uint32_t u, l;
int r;
assert(s);
assert(ret_lower);
assert(ret_upper);
r = parse_range(s, &l, &u);
if (r < 0)
return r;
if (l > u)
return -EINVAL;
if (!uid_is_valid(l) || !uid_is_valid(u))
return -ENXIO;
*ret_lower = l;
*ret_upper = u;
return 0;
}
char* getlogname_malloc(void) {
uid_t uid;
struct stat st;

1
src/basic/user-util.h
View File

@ -19,6 +19,7 @@ static inline bool gid_is_valid(gid_t gid) {
}
int parse_uid(const char *s, uid_t* ret_uid);
int parse_uid_range(const char *s, uid_t *ret_lower, uid_t *ret_upper);
static inline int parse_gid(const char *s, gid_t *ret_gid) {
return parse_uid(s, (uid_t*) ret_gid);

6
src/network/networkd-manager.c
View File

@ -1138,6 +1138,12 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, voi
return 0;
}
r = sd_netlink_message_read(message, FRA_UID_RANGE, sizeof(tmp->uid_range), &tmp->uid_range);
if (r < 0 && r != -ENODATA) {
log_warning_errno(r, "rtnl: could not get FRA_UID_RANGE attribute, ignoring: %m");
return 0;
}
(void) routing_policy_rule_get(m, tmp, &rule);
if (DEBUG_LOGGING) {

1
src/network/networkd-network-gperf.gperf
View File

@ -130,6 +130,7 @@ RoutingPolicyRule.SourcePort, config_parse_routing_policy_rule_port_ra
RoutingPolicyRule.DestinationPort, config_parse_routing_policy_rule_port_range, 0, 0
RoutingPolicyRule.InvertRule, config_parse_routing_policy_rule_invert, 0, 0
RoutingPolicyRule.Family, config_parse_routing_policy_rule_family, 0, 0
RoutingPolicyRule.User, config_parse_routing_policy_rule_uid_range, 0, 0
Route.Gateway, config_parse_gateway, 0, 0
Route.Destination, config_parse_destination, 0, 0
Route.Source, config_parse_destination, 0, 0

85
src/network/networkd-routing-policy-rule.c
View File

@ -7,6 +7,7 @@
#include "alloc-util.h"
#include "conf-parser.h"
#include "fileio.h"
#include "format-util.h"
#include "ip-protocol-list.h"
#include "networkd-routing-policy-rule.h"
#include "netlink-util.h"
@ -16,6 +17,7 @@
#include "socket-util.h"
#include "string-util.h"
#include "strv.h"
#include "user-util.h"
int routing_policy_rule_new(RoutingPolicyRule **ret) {
RoutingPolicyRule *rule;
@ -26,6 +28,8 @@ int routing_policy_rule_new(RoutingPolicyRule **ret) {
*rule = (RoutingPolicyRule) {
.table = RT_TABLE_MAIN,
.uid_range.start = UID_INVALID,
.uid_range.end = UID_INVALID,
};
*ret = rule;
@ -93,6 +97,7 @@ static int routing_policy_rule_copy(RoutingPolicyRule *dest, RoutingPolicyRule *
dest->protocol = src->protocol;
dest->sport = src->sport;
dest->dport = src->dport;
dest->uid_range = src->uid_range;
return 0;
}
@ -122,6 +127,7 @@ static void routing_policy_rule_hash_func(const RoutingPolicyRule *rule, struct
siphash24_compress(&rule->protocol, sizeof(rule->protocol), state);
siphash24_compress(&rule->sport, sizeof(rule->sport), state);
siphash24_compress(&rule->dport, sizeof(rule->dport), state);
siphash24_compress(&rule->uid_range, sizeof(rule->uid_range), state);
if (rule->iif)
siphash24_compress(rule->iif, strlen(rule->iif), state);
@ -198,6 +204,10 @@ static int routing_policy_rule_compare_func(const RoutingPolicyRule *a, const Ro
if (r != 0)
return r;
r = memcmp(&a->uid_range, &b->uid_range, sizeof(a->uid_range));
if (r != 0)
return r;
r = strcmp_ptr(a->iif, b->iif);
if (r != 0)
return r;
@ -554,6 +564,12 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
return log_link_error_errno(link, r, "Could not append FRA_DPORT_RANGE attribute: %m");
}
if (rule->uid_range.start != UID_INVALID && rule->uid_range.end != UID_INVALID) {
r = sd_netlink_message_append_data(m, FRA_UID_RANGE, &rule->uid_range, sizeof(rule->uid_range));
if (r < 0)
return log_link_error_errno(link, r, "Could not append FRA_UID_RANGE attribute: %m");
}
if (rule->invert_rule) {
r = sd_rtnl_message_routing_policy_rule_set_flags(m, FIB_RULE_INVERT);
if (r < 0)
@ -1056,6 +1072,51 @@ int config_parse_routing_policy_rule_family(
return 0;
}
int config_parse_routing_policy_rule_uid_range(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
_cleanup_(routing_policy_rule_free_or_set_invalidp) RoutingPolicyRule *n = NULL;
Network *network = userdata;
uid_t start, end;
int r;
assert(filename);
assert(section);
assert(lvalue);
assert(rvalue);
assert(data);
r = routing_policy_rule_new_static(network, filename, section_line, &n);
if (r < 0)
return r;
r = get_user_creds(&rvalue, &start, NULL, NULL, NULL, 0);
if (r >= 0)
end = start;
else {
r = parse_uid_range(rvalue, &start, &end);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,
"Invalid uid or uid range '%s', ignoring: %m", rvalue);
return 0;
}
}
n->uid_range.start = start;
n->uid_range.end = end;
n = NULL;
return 0;
}
static int routing_policy_rule_read_full_file(const char *state_file, char **ret) {
_cleanup_free_ char *s = NULL;
size_t size;
@ -1170,6 +1231,14 @@ int routing_policy_serialize_rules(Set *rules, FILE *f) {
space = true;
}
if (rule->uid_range.start != UID_INVALID && rule->uid_range.end != UID_INVALID) {
assert_cc(sizeof(uid_t) == sizeof(uint32_t));
fprintf(f, "%suidrange="UID_FMT"-"UID_FMT,
space ? " " : "",
rule->uid_range.start, rule->uid_range.end);
space = true;
}
fprintf(f, "%stable=%"PRIu32 "\n",
space ? " " : "",
rule->table);
@ -1294,7 +1363,7 @@ int routing_policy_load_rules(const char *state_file, Set **rules) {
r = parse_ip_port_range(b, &low, &high);
if (r < 0) {
log_error_errno(r, "Invalid routing policy rule source port range, ignoring assignment:'%s'", b);
log_error_errno(r, "Invalid routing policy rule source port range, ignoring assignment: '%s'", b);
continue;
}
@ -1305,12 +1374,24 @@ int routing_policy_load_rules(const char *state_file, Set **rules) {
r = parse_ip_port_range(b, &low, &high);
if (r < 0) {
log_error_errno(r, "Invalid routing policy rule destination port range, ignoring assignment:'%s'", b);
log_error_errno(r, "Invalid routing policy rule destination port range, ignoring assignment: '%s'", b);
continue;
}
rule->dport.start = low;
rule->dport.end = high;
} else if (streq(a, "uidrange")) {
uid_t lower, upper;
r = parse_uid_range(b, &lower, &upper);
if (r < 0) {
log_error_errno(r, "Invalid routing policy rule uid range, ignoring assignment: '%s'", b);
continue;
}
rule->uid_range.start = lower;
rule->uid_range.end = upper;
}
}

2
src/network/networkd-routing-policy-rule.h
View File

@ -49,6 +49,7 @@ struct RoutingPolicyRule {
struct fib_rule_port_range sport;
struct fib_rule_port_range dport;
struct fib_rule_uid_range uid_range;
LIST_FIELDS(RoutingPolicyRule, rules);
};
@ -79,3 +80,4 @@ CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_port_range);
CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_ip_protocol);
CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_invert);
CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_family);
CONFIG_PARSER_PROTOTYPE(config_parse_routing_policy_rule_uid_range);

1
test/fuzz/fuzz-network-parser/directives.network
View File

@ -225,6 +225,7 @@ DestinationPort=
IPProtocol=
InvertRule=
Family=
User=
[IPv6PrefixDelegation]
RouterPreference=
DNSLifetimeSec=

9
test/test-network/conf/25-fibrule-uidrange.network Normal file
View File

@ -0,0 +1,9 @@
[Match]
Name=test1
[RoutingPolicyRule]
TypeOfService=0x08
Table=7
From= 192.168.100.18
Priority=111
User=100-200

31
test/test-network/systemd-networkd-tests.py
View File

@ -100,6 +100,23 @@ def expectedFailureIfRoutingPolicyIPProtoIsNotAvailable():
return f
def expectedFailureIfRoutingPolicyUIDRangeIsNotAvailable():
def f(func):
support = False
rc = call('ip rule add from 192.168.100.19 table 7 uidrange 200-300', stderr=subprocess.DEVNULL)
if rc == 0:
ret = run('ip rule list from 192.168.100.19 table 7', stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
if ret.returncode == 0 and 'uidrange 200-300' in ret.stdout.rstrip():
support = True
call('ip rule del from 192.168.100.19 table 7 uidrange 200-300')
if support:
return func
else:
return unittest.expectedFailure(func)
return f
def expectedFailureIfLinkFileFieldIsNotSet():
def f(func):
support = False
@ -1572,6 +1589,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities):
'25-bond-active-backup-slave.netdev',
'25-fibrule-invert.network',
'25-fibrule-port-range.network',
'25-fibrule-uidrange.network',
'25-gre-tunnel-remote-any.netdev',
'25-ip6gre-tunnel-remote-any.netdev',
'25-ipv6-address-label-section.network',
@ -1776,6 +1794,19 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities):
self.assertRegex(output, 'tcp')
self.assertRegex(output, 'lookup 7')
@expectedFailureIfRoutingPolicyUIDRangeIsNotAvailable()
def test_routing_policy_rule_uidrange(self):
copy_unit_to_networkd_unit_path('25-fibrule-uidrange.network', '11-dummy.netdev')
start_networkd()
self.wait_online(['test1:degraded'])
output = check_output('ip rule')
print(output)
self.assertRegex(output, '111')
self.assertRegex(output, 'from 192.168.100.18')
self.assertRegex(output, 'lookup 7')
self.assertRegex(output, 'uidrange 100-200')
def test_route_static(self):
copy_unit_to_networkd_unit_path('25-route-static.network', '12-dummy.netdev')
start_networkd()