[Swan-dev] fedora 20 klips build
Matt Rogers
mrogers at redhat.com
Thu Mar 13 05:40:42 EET 2014
I've attached a patch that fixes klips when user namespaces is enabled in the
kernel. I am not 100% familiar with this feature, so I would like a review
especially in regards to the use of init_user_ns when converting kuid_t. I
believe this is correct, as the init_user_ns namespace appears to act as the
global root namespace.
I tested klips on fedora kernels with and without CONFIG_USER_NS with this patch
and things worked normally.
Thanks,
Matt
-------------- next part --------------
commit be0cef873b85a8b4356ecf0fbebb5f83d19ca3b4
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Mar 12 22:34:45 2014 -0400
klips: convert kuid_t with the initial namespace when CONFIG_USER_NS
is enabled (now in fedora 20 kernels)
diff --git a/linux/include/libreswan/ipsec_kversion.h b/linux/include/libreswan/ipsec_kversion.h
index ed40fc0..2854a11 100644
--- a/linux/include/libreswan/ipsec_kversion.h
+++ b/linux/include/libreswan/ipsec_kversion.h
@@ -516,5 +516,10 @@
# define DEFINE_RWLOCK(x) rwlock_t x = RW_LOCK_UNLOCKED
#endif
+/* CONFIG_USER_NS is now on in Fedora 20 kernels */
+#if defined(CONFIG_USER_NS)
+# define HAVE_USER_NS
+#endif
+
#endif /* _LIBRESWAN_KVERSIONS_H */
diff --git a/linux/include/libreswan/pfkey.h b/linux/include/libreswan/pfkey.h
index 76d9b58..32f4351 100644
--- a/linux/include/libreswan/pfkey.h
+++ b/linux/include/libreswan/pfkey.h
@@ -29,7 +29,9 @@ extern /* void */ int pfkey_cleanup(void);
extern int pfkey_registered_show(struct seq_file *seq, void *offset);
extern int pfkey_supported_show(struct seq_file *seq, void *offset);
extern int pfkey_show(struct seq_file *seq, void *offset);
-
+#ifdef HAVE_USER_NS
+extern uint32_t pfkey_kuid_to_uid(kuid_t kuid);
+#endif
struct socket_list {
struct socket *socketp;
struct socket_list *next;
diff --git a/linux/net/ipsec/pfkey_v2.c b/linux/net/ipsec/pfkey_v2.c
index 94be7b4..62db8d7 100644
--- a/linux/net/ipsec/pfkey_v2.c
+++ b/linux/net/ipsec/pfkey_v2.c
@@ -552,6 +552,13 @@ DEBUG_NO_STATIC void pfkey_destroy_socket(struct sock *sk)
"klips_debug:pfkey_destroy_socket: destroyed.\n");
}
+#ifdef HAVE_USER_NS
+uint32_t pfkey_kuid_to_uid(kuid_t kuid)
+{
+ return from_kuid(&init_user_ns, kuid);
+}
+#endif
+
int pfkey_upmsg(struct socket *sock, struct sadb_msg *pfkey_msg)
{
struct sock *sk;
@@ -739,7 +746,11 @@ DEBUG_NO_STATIC int pfkey_create(struct socket *sock, int protocol)
sk->sk_family = PF_KEY;
/* sk->num = protocol; */
sk->sk_protocol = protocol;
+#ifdef HAVE_USER_NS
+ key_pid(sk) = pfkey_kuid_to_uid(current_uid());
+#else
key_pid(sk) = current_uid();
+#endif
#ifdef HAVE_SOCKET_WQ
KLIPS_PRINT(debug_pfkey,
diff --git a/linux/net/ipsec/pfkey_v2_parser.c b/linux/net/ipsec/pfkey_v2_parser.c
index 7c2ba3b..40b0444 100644
--- a/linux/net/ipsec/pfkey_v2_parser.c
+++ b/linux/net/ipsec/pfkey_v2_parser.c
@@ -1850,7 +1850,11 @@ int pfkey_register_reply(int satype, struct sadb_msg *sadb_msg)
pfkey_msg_seq,
sadb_msg ? sadb_msg
->sadb_msg_pid :
+#ifdef HAVE_USER_NS
+ pfkey_kuid_to_uid(current_uid())),
+#else
current_uid()),
+#endif
extensions_reply) &&
(alg_num_a ? pfkey_safe_build(error =
pfkey_supported_build(&
More information about the Swan-dev
mailing list