[Swan-dev] fedora 20 klips build

Matt Rogers mrogers at redhat.com
Thu Mar 13 05:40:42 EET 2014 

I've attached a patch that fixes klips when user namespaces is enabled in the
kernel. I am not 100% familiar with this feature, so I would like a review
especially in regards to the use of init_user_ns when converting kuid_t. I
believe this is correct, as the init_user_ns namespace appears to act as the
global root namespace.

I tested klips on fedora kernels with and without CONFIG_USER_NS with this patch
and things worked normally.

Thanks,
Matt
-------------- next part --------------
commit be0cef873b85a8b4356ecf0fbebb5f83d19ca3b4
Author: Matt Rogers <mrogers at redhat.com>
Date:   Wed Mar 12 22:34:45 2014 -0400

    klips: convert kuid_t with the initial namespace when CONFIG_USER_NS
    is enabled (now in fedora 20 kernels)

diff --git a/linux/include/libreswan/ipsec_kversion.h b/linux/include/libreswan/ipsec_kversion.h
index ed40fc0..2854a11 100644
--- a/linux/include/libreswan/ipsec_kversion.h
+++ b/linux/include/libreswan/ipsec_kversion.h
@@ -516,5 +516,10 @@
 # define DEFINE_RWLOCK(x) rwlock_t x = RW_LOCK_UNLOCKED
 #endif
 
+/* CONFIG_USER_NS is now on in Fedora 20 kernels */
+#if defined(CONFIG_USER_NS)
+# define HAVE_USER_NS
+#endif
+
 #endif /* _LIBRESWAN_KVERSIONS_H */
 
diff --git a/linux/include/libreswan/pfkey.h b/linux/include/libreswan/pfkey.h
index 76d9b58..32f4351 100644
--- a/linux/include/libreswan/pfkey.h
+++ b/linux/include/libreswan/pfkey.h
@@ -29,7 +29,9 @@ extern /* void */ int pfkey_cleanup(void);
 extern int pfkey_registered_show(struct seq_file *seq, void *offset);
 extern int pfkey_supported_show(struct seq_file *seq, void *offset);
 extern int pfkey_show(struct seq_file *seq, void *offset);
-
+#ifdef HAVE_USER_NS
+extern uint32_t pfkey_kuid_to_uid(kuid_t kuid);
+#endif
 struct socket_list {
 	struct socket *socketp;
 	struct socket_list *next;
diff --git a/linux/net/ipsec/pfkey_v2.c b/linux/net/ipsec/pfkey_v2.c
index 94be7b4..62db8d7 100644
--- a/linux/net/ipsec/pfkey_v2.c
+++ b/linux/net/ipsec/pfkey_v2.c
@@ -552,6 +552,13 @@ DEBUG_NO_STATIC void pfkey_destroy_socket(struct sock *sk)
 		    "klips_debug:pfkey_destroy_socket: destroyed.\n");
 }
 
+#ifdef HAVE_USER_NS
+uint32_t pfkey_kuid_to_uid(kuid_t kuid)
+{
+	return from_kuid(&init_user_ns, kuid);
+}
+#endif
+
 int pfkey_upmsg(struct socket *sock, struct sadb_msg *pfkey_msg)
 {
 	struct sock *sk;
@@ -739,7 +746,11 @@ DEBUG_NO_STATIC int pfkey_create(struct socket *sock, int protocol)
 	sk->sk_family = PF_KEY;
 /*	sk->num = protocol; */
 	sk->sk_protocol = protocol;
+#ifdef HAVE_USER_NS
+	key_pid(sk) = pfkey_kuid_to_uid(current_uid());
+#else
 	key_pid(sk) = current_uid();
+#endif
 
 #ifdef HAVE_SOCKET_WQ
 	KLIPS_PRINT(debug_pfkey,
diff --git a/linux/net/ipsec/pfkey_v2_parser.c b/linux/net/ipsec/pfkey_v2_parser.c
index 7c2ba3b..40b0444 100644
--- a/linux/net/ipsec/pfkey_v2_parser.c
+++ b/linux/net/ipsec/pfkey_v2_parser.c
@@ -1850,7 +1850,11 @@ int pfkey_register_reply(int satype, struct sadb_msg *sadb_msg)
 							   pfkey_msg_seq,
 							   sadb_msg ? sadb_msg
 							   ->sadb_msg_pid :
+#ifdef HAVE_USER_NS
+							   pfkey_kuid_to_uid(current_uid())),
+#else
 							   current_uid()),
+#endif
 			       extensions_reply) &&
 	      (alg_num_a ? pfkey_safe_build(error =
 						    pfkey_supported_build(&

More information about the Swan-dev mailing list