1 /* Shared library add-on to iptables to add OWNER matching support. */
10 #include <ip6tables.h>
11 #include <linux/netfilter_ipv6/ip6t_owner.h>
13 /* Function which prints out usage message. */
17 #ifdef IP6T_OWNER_COMM
19 "OWNER match v%s options:\n"
20 "[!] --uid-owner userid Match local uid\n"
21 "[!] --gid-owner groupid Match local gid\n"
22 "[!] --pid-owner processid Match local pid\n"
23 "[!] --sid-owner sessionid Match local sid\n"
24 "[!] --cmd-owner name Match local command name\n"
29 "OWNER match v%s options:\n"
30 "[!] --uid-owner userid Match local uid\n"
31 "[!] --gid-owner groupid Match local gid\n"
32 "[!] --pid-owner processid Match local pid\n"
33 "[!] --sid-owner sessionid Match local sid\n"
36 #endif /* IP6T_OWNER_COMM */
39 static struct option opts[] = {
40 { "uid-owner", 1, 0, '1' },
41 { "gid-owner", 1, 0, '2' },
42 { "pid-owner", 1, 0, '3' },
43 { "sid-owner", 1, 0, '4' },
44 #ifdef IP6T_OWNER_COMM
45 { "cmd-owner", 1, 0, '5' },
50 /* Initialize the match. */
52 init(struct ip6t_entry_match *m, unsigned int *nfcache)
54 /* Can't cache this. */
55 *nfcache |= NFC_UNKNOWN;
58 /* Function which parses command options; returns true if it
61 parse(int c, char **argv, int invert, unsigned int *flags,
62 const struct ip6t_entry *entry,
63 unsigned int *nfcache,
64 struct ip6t_entry_match **match)
66 struct ip6t_owner_info *ownerinfo = (struct ip6t_owner_info *)(*match)->data;
73 check_inverse(optarg, &invert, &optind, 0);
75 if ((pwd = getpwnam(optarg)))
76 ownerinfo->uid = pwd->pw_uid;
78 ownerinfo->uid = strtoul(optarg, &end, 0);
79 if (*end != '\0' || end == optarg)
80 exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", optarg);
83 ownerinfo->invert |= IP6T_OWNER_UID;
84 ownerinfo->match |= IP6T_OWNER_UID;
89 check_inverse(optarg, &invert, &optind, 0);
90 if ((grp = getgrnam(optarg)))
91 ownerinfo->gid = grp->gr_gid;
93 ownerinfo->gid = strtoul(optarg, &end, 0);
94 if (*end != '\0' || end == optarg)
95 exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", optarg);
98 ownerinfo->invert |= IP6T_OWNER_GID;
99 ownerinfo->match |= IP6T_OWNER_GID;
104 check_inverse(optarg, &invert, &optind, 0);
105 ownerinfo->pid = strtoul(optarg, &end, 0);
106 if (*end != '\0' || end == optarg)
107 exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", optarg);
109 ownerinfo->invert |= IP6T_OWNER_PID;
110 ownerinfo->match |= IP6T_OWNER_PID;
115 check_inverse(optarg, &invert, &optind, 0);
116 ownerinfo->sid = strtoul(optarg, &end, 0);
117 if (*end != '\0' || end == optarg)
118 exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", optarg);
120 ownerinfo->invert |= IP6T_OWNER_SID;
121 ownerinfo->match |= IP6T_OWNER_SID;
125 #ifdef IP6T_OWNER_COMM
127 check_inverse(optarg, &invert, &optind, 0);
128 if(strlen(optarg) > sizeof(ownerinfo->comm))
129 exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters", optarg, sizeof(ownerinfo->comm));
131 strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm));
134 ownerinfo->invert |= IP6T_OWNER_COMM;
135 ownerinfo->match |= IP6T_OWNER_COMM;
147 print_item(struct ip6t_owner_info *info, u_int8_t flag, int numeric, char *label)
149 if(info->match & flag) {
153 if (info->invert & flag)
156 switch(info->match & flag) {
159 struct passwd *pwd = getpwuid(info->uid);
161 if(pwd && pwd->pw_name) {
162 printf("%s ", pwd->pw_name);
167 printf("%u ", info->uid);
171 struct group *grp = getgrgid(info->gid);
173 if(grp && grp->gr_name) {
174 printf("%s ", grp->gr_name);
179 printf("%u ", info->gid);
182 printf("%u ", info->pid);
185 printf("%u ", info->sid);
187 #ifdef IP6T_OWNER_COMM
188 case IP6T_OWNER_COMM:
189 printf("%.*s ", (int)sizeof(info->comm), info->comm);
198 /* Final check; must have specified --own. */
200 final_check(unsigned int flags)
203 exit_error(PARAMETER_PROBLEM,
204 "OWNER match: You must specify one or more options");
207 /* Prints out the matchinfo. */
209 print(const struct ip6t_ip6 *ip,
210 const struct ip6t_entry_match *match,
213 struct ip6t_owner_info *info = (struct ip6t_owner_info *)match->data;
215 print_item(info, IP6T_OWNER_UID, numeric, "OWNER UID match ");
216 print_item(info, IP6T_OWNER_GID, numeric, "OWNER GID match ");
217 print_item(info, IP6T_OWNER_PID, numeric, "OWNER PID match ");
218 print_item(info, IP6T_OWNER_SID, numeric, "OWNER SID match ");
219 #ifdef IP6T_OWNER_COMM
220 print_item(info, IP6T_OWNER_COMM, numeric, "OWNER CMD match ");
224 /* Saves the union ip6t_matchinfo in parsable form to stdout. */
226 save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
228 struct ip6t_owner_info *info = (struct ip6t_owner_info *)match->data;
230 print_item(info, IP6T_OWNER_UID, 0, "--uid-owner ");
231 print_item(info, IP6T_OWNER_GID, 0, "--gid-owner ");
232 print_item(info, IP6T_OWNER_PID, 0, "--pid-owner ");
233 print_item(info, IP6T_OWNER_SID, 0, "--sid-owner ");
234 #ifdef IP6T_OWNER_COMM
235 print_item(info, IP6T_OWNER_COMM, 0, "--cmd-owner ");
240 struct ip6tables_match owner
244 IP6T_ALIGN(sizeof(struct ip6t_owner_info)),
245 IP6T_ALIGN(sizeof(struct ip6t_owner_info)),
257 register_match6(&owner);