Add support to PF for ruid/rgid checking

Devon H. O'Dell dodell at sitetronics.com
Mon Feb 28 05:48:08 PST 2005


It's a useful thing to have!

This is a port of the patch provided by Maxime Henrion
<mux at xxxxxxxxxxx>.

His patch is available at http://mu.org/~mux/patches/pf.patch

Enjoy,

Devon
diff -urN usr.sbin/pfctl/parse.y /root/pfctl/parse.y
--- usr.sbin/pfctl/parse.y	2005-02-11 23:31:45.000000000 +0100
+++ /root/pfctl/parse.y	2005-02-28 14:19:03.000000000 +0100
@@ -168,6 +168,8 @@
 #define FOM_SRCTRACK	0x10
 	struct node_uid		*uid;
 	struct node_gid		*gid;
+	struct node_uid		*ruid;
+	struct node_gid		*rgid
 	struct {
 		u_int8_t	 b1;
 		u_int8_t	 b2;
@@ -262,7 +264,8 @@
 void	expand_rule(struct pf_rule *, struct node_if *, struct node_host *,
 	    struct node_proto *, struct node_os*, struct node_host *,
 	    struct node_port *, struct node_host *, struct node_port *,
-	    struct node_uid *, struct node_gid *, struct node_icmp *);
+	    struct node_uid *, struct node_gid *, struct node_icmp *,
+	    struct node_uid *, struct node_gid *);
 int	expand_altq(struct pf_altq *, struct node_if *, struct node_queue *,
 	    struct node_queue_bw bwspec, struct node_queue_opt *);
 int	expand_queue(struct pf_altq *, struct node_if *, struct node_queue *,
@@ -331,6 +334,8 @@
 		struct node_port	*port;
 		struct node_uid		*uid;
 		struct node_gid		*gid;
+		struct node_uid		*ruid;
+		struct node_gid		*rgid;
 		struct node_state_opt	*state_opt;
 		struct peer		 peer;
 		struct {
@@ -407,6 +412,7 @@
 %token	LOAD
 %token	STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
 %token	TAGGED TAG IFBOUND GRBOUND FLOATING STATEPOLICY
+%token	RUSER RGROUP
 %token	<v.string>		STRING
 %token	<v.i>			PORTBINARY
 %type	<v.interface>		interface if_list if_item_not if_item
@@ -430,6 +436,8 @@
 %type	<v.port>		portspec port_list port_item
 %type	<v.uid>			uids uid_list uid_item
 %type	<v.gid>			gids gid_list gid_item
+%type	<v.ruid>		ruids
+%type	<v.rgid>		rgids
 %type	<v.route>		route
 %type	<v.redirection>		redirection redirpool
 %type	<v.string>		label string tag
@@ -621,7 +629,7 @@
 
 			expand_rule(&r, $4, NULL, $6, $7.src_os,
 			    $7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
-			    0, 0, 0);
+			    0, 0, 0, 0, 0);
 		}
 		| NATANCHOR string interface af proto fromto {
 			struct pf_rule	r;
@@ -641,7 +649,7 @@
 
 			expand_rule(&r, $3, NULL, $5, $6.src_os,
 			    $6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
-			    0, 0, 0);
+			    0, 0, 0, 0, 0);
 		}
 		| RDRANCHOR string interface af proto fromto {
 			struct pf_rule	r;
@@ -682,7 +690,7 @@
 
 			expand_rule(&r, $3, NULL, $5, $6.src_os,
 			    $6.src.host, $6.src.port, $6.dst.host, $6.dst.port,
-			    0, 0, 0);
+			    0, 0, 0, 0, 0);
 		}
 		| BINATANCHOR string interface af proto fromto {
 			struct pf_rule	r;
@@ -800,7 +808,7 @@
 
 			expand_rule(&r, $4, NULL, $6, $7.src_os,
 			    $7.src.host, $7.src.port, $7.dst.host, $7.dst.port,
-			    NULL, NULL, NULL);
+			    NULL, NULL, NULL, NULL, NULL);
 		}
 		;
 
@@ -916,7 +924,8 @@
 
 				if (h != NULL)
 					expand_rule(&r, j, NULL, NULL, NULL, h,
-					    NULL, NULL, NULL, NULL, NULL, NULL);
+					    NULL, NULL, NULL, NULL, NULL, NULL
+					    NULL, NULL);
 
 				if ((i->ifa_flags & IFF_LOOPBACK) == 0) {
 					bzero(&r, sizeof(r));
@@ -932,7 +941,8 @@
 					if (h != NULL)
 						expand_rule(&r, NULL, NULL,
 						    NULL, NULL, h, NULL, NULL,
-						    NULL, NULL, NULL, NULL);
+						    NULL, NULL, NULL, NULL
+						    NULL, NULL);
 				}
 			}
 			free($5.label);
@@ -1701,7 +1711,7 @@
 
 			expand_rule(&r, $4, $5.host, $7, $8.src_os,
 			    $8.src.host, $8.src.port, $8.dst.host, $8.dst.port,
-			    $9.uid, $9.gid, $9.icmpspec);
+			    $9.uid, $9.gid, $9.icmpspec, $9.ruid, $9.rgid);
 		}
 		;
 
@@ -1728,6 +1738,16 @@
 				$2->tail->next = filter_opts.gid;
 			filter_opts.gid = $2;
 		}
+		| RUSER ruids {
+			if (filter_opts.ruid)
+				$2->tail->next = filter_opts.ruid;
+			filter_opts.ruid = $2;
+		}
+		| RGROUP rgids {
+			if (filter_opts.rgid)
+				$2->tail->next = filter_opts.rgid;
+			filter_opts.rgid = $2;
+		}
 		| flags {
 			if (filter_opts.marker & FOM_FLAGS) {
 				yyerror("flags cannot be redefined");
@@ -2307,6 +2327,9 @@
 		| '{' uid_list '}'		{ $$ = $2; }
 		;
 
+ruids		: uid_item			{ $$ = $1; }
+		| '{' uid_list '}'		{ $$ = $2; }
+
 uid_list	: uid_item			{ $$ = $1; }
 		| uid_list comma uid_item	{
 			$1->tail->next = $3;
@@ -2389,6 +2412,10 @@
 		| '{' gid_list '}'		{ $$ = $2; }
 		;
 
+rgids		: gid_item			{ $$ = $1; }
+		| '{' gid_list '}'		( $$ = $2; }
+		;
+
 gid_list	: gid_item			{ $$ = $1; }
 		| gid_list comma gid_item	{
 			$1->tail->next = $3;
@@ -3151,7 +3178,7 @@
 
 			expand_rule(&r, $2, $7 == NULL ? NULL : $7->host, $4,
 			    $5.src_os, $5.src.host, $5.src.port, $5.dst.host,
-			    $5.dst.port, 0, 0, 0);
+			    $5.dst.port, 0, 0, 0, 0, 0);
 			free($7);
 		}
 		;
@@ -4098,7 +4125,8 @@
     struct node_proto *protos, struct node_os *src_oses,
     struct node_host *src_hosts, struct node_port *src_ports,
     struct node_host *dst_hosts, struct node_port *dst_ports,
-    struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types)
+    struct node_uid *uids, struct node_gid *gids, struct node_icmp *icmp_types,
+    struct node_uid *ruids, struct node_gid *gids)
 {
 	sa_family_t		 af = r->af;
 	int			 added = 0, error = 0;
@@ -4131,6 +4159,8 @@
 	LOOP_THROUGH(struct node_port, dst_port, dst_ports,
 	LOOP_THROUGH(struct node_uid, uid, uids,
 	LOOP_THROUGH(struct node_gid, gid, gids,
+	LOOP_THROUGH(struct node_uid, ruid, ruids,
+	LOOP_THROUGH(struct node_gid, rgid, rgids,
 
 		r->af = af;
 		/* for link-local IPv6 address, interface must match up */
@@ -4197,6 +4227,12 @@
 		r->gid.op = gid->op;
 		r->gid.gid[0] = gid->gid[0];
 		r->gid.gid[1] = gid->gid[1];
+		r->ruid.op = ruid->op;
+		r->ruid.uid[0] = ruid->uid[0];
+		r->ruid.uid[1] = ruid->uid[1];
+		r->rgid.op = rgid->op;
+		r->rgid.gid[0] = rgid->gid[0];
+		r->rgid.gid[1] = rgid->gid[1];
 		r->type = icmp_type->type;
 		r->code = icmp_type->code;
 
@@ -4254,7 +4290,7 @@
 			added++;
 		}
 
-	))))))))));
+	))))))))))));
 
 	FREE_LIST(struct node_if, interfaces);
 	FREE_LIST(struct node_proto, protos);
@@ -4265,6 +4301,8 @@
 	FREE_LIST(struct node_port, dst_ports);
 	FREE_LIST(struct node_uid, uids);
 	FREE_LIST(struct node_gid, gids);
+	FREE_LIST(struct node_uid, ruids);
+	FREE_LIST(struct node_gid, rgids);
 	FREE_LIST(struct node_icmp, icmp_types);
 	FREE_LIST(struct node_host, rpool_hosts);
 
@@ -4380,9 +4418,11 @@
 		{ "return-icmp",	RETURNICMP},
 		{ "return-icmp6",	RETURNICMP6},
 		{ "return-rst",		RETURNRST},
+		{ "rgroup",		RGROUP},
 		{ "round-robin",	ROUNDROBIN},
 		{ "route-to",		ROUTETO},
 		{ "rule",		RULE},
+		{ "ruser",		RUSER},
 		{ "scrub",		SCRUB},
 		{ "set",		SET},
 		{ "source-hash",	SOURCEHASH},
diff -urN usr.sbin/pfctl/pfctl_parser.c /root/pfctl/pfctl_parser.c
--- usr.sbin/pfctl/pfctl_parser.c	2004-09-21 23:25:28.000000000 +0200
+++ /root/pfctl/pfctl_parser.c	2005-02-28 14:19:38.000000000 +0100
@@ -745,6 +745,12 @@
 	if (r->gid.op)
 		print_ugid(r->gid.op, r->gid.gid[0], r->gid.gid[1], "group",
 		    GID_MAX);
+	if (r->ruid.op)
+		print_ugid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1], "ruser",
+		    UID_MAX);
+	if (r->rgid.op)
+		print_ugid(r->rgid.op, r->rgid.gid[0], r->rgid.gid[1], "rgroup",
+		    GID_MAX);
 	if (r->flags || r->flagset) {
 		printf(" flags ");
 		print_flags(r->flags);
diff -urN sys/net/pf/pf.c /root/pf/pf.c
--- sys/net/pf/pf.c	2005-02-11 23:25:57.000000000 +0100
+++ /root/pf/pf.c	2005-02-28 14:30:13.000000000 +0100
@@ -204,7 +204,7 @@
 			    struct ifnet *, struct pf_state *);
 void			 pf_route6(struct mbuf **, struct pf_rule *, int,
 			    struct ifnet *, struct pf_state *);
-int			 pf_socket_lookup(uid_t *, gid_t *,
+int			 pf_socket_lookup(uid_t *, gid_t *, uid_t *, gid_t *,
 			    int, struct pf_pdesc *);
 u_int8_t		 pf_get_wscale(struct mbuf *, int, u_int16_t,
 			    sa_family_t);
@@ -2186,7 +2186,8 @@
 #endif /* SMP */
 
 int
-pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, struct pf_pdesc *pd)
+pf_socket_lookup(uid_t *uid, gid_t *gid, uid_t *ruid, gid_t *rgid, 
+    int direction, struct pf_pdesc *pd)
 {
 	struct pf_addr		*saddr, *daddr;
 	u_int16_t		 sport, dport;
@@ -2199,6 +2200,8 @@
 
 	*uid = UID_MAX;
 	*gid = GID_MAX;
+	*ruid = UID_MAX;
+	*rgid = GID_MAX;
 	if (direction == PF_IN) {
 		saddr = pd->src;
 		daddr = pd->dst;
@@ -2298,6 +2301,8 @@
 	}
 	*uid = inp->inp_socket->so_cred->cr_uid;
 	*gid = inp->inp_socket->so_cred->cr_groups[0];
+	*ruid = inp->inp_socket->so_cred->cr_ruid;
+	*rgid = inp->inp_socket->so_cred->cr_rgid;
 	return (1);
 }
 
@@ -2467,8 +2472,8 @@
 	u_int16_t		 bport, nport = 0;
 	sa_family_t		 af = pd->af;
 	int			 lookup = -1;
-	uid_t			 uid;
-	gid_t			 gid;
+	uid_t			 uid, ruid;
+	gid_t			 gid, rgid;
 	struct pf_rule		*r, *a = NULL;
 	struct pf_ruleset	*ruleset = NULL;
 	struct pf_src_node	*nsn = NULL;
@@ -2537,15 +2542,29 @@
 		else if ((r->flagset & th->th_flags) != r->flags)
 			r = TAILQ_NEXT(r, entries);
 		else if (r->uid.op && (lookup != -1 || (lookup =
-		    pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
+		    pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, 
+		        pd), 1)) &&
 		    !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
 		    uid))
 			r = TAILQ_NEXT(r, entries);
+		else if (r->ruid.op && (lookup != -1 || (lookup =
+		    pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+		        pd, inp), 1)) &&
+		    !pf_match_uid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1],
+		    ruid))
+			r = TAILQ_NEXT(r, entries);
 		else if (r->gid.op && (lookup != -1 || (lookup =
-		    pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
+		    pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, 
+		        pd), 1)) &&
 		    !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
 		    gid))
 			r = TAILQ_NEXT(r, entries);
+		else if (r->rgid.op && (lookup != -1 || (lookup =
+		    pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+		        pd, inp), 1)) &&
+		    !pf_match_gid(r->rgid.op, r->rgid.gid[0], r->rgid.gid[1],
+		    rgid))
+			r = TAILQ_NEXT(r, entries);
 		else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
 			r = TAILQ_NEXT(r, entries);
 		else if (r->anchorname[0] && r->anchor == NULL)
@@ -2818,8 +2837,8 @@
 	u_int16_t		 bport, nport = 0;
 	sa_family_t		 af = pd->af;
 	int			 lookup = -1;
-	uid_t			 uid;
-	gid_t			 gid;
+	uid_t			 uid, ruid;
+	gid_t			 gid, rgid;
 	struct pf_rule		*r, *a = NULL;
 	struct pf_ruleset	*ruleset = NULL;
 	struct pf_src_node	*nsn = NULL;
@@ -2885,15 +2904,29 @@
 		else if (r->rule_flag & PFRULE_FRAGMENT)
 			r = TAILQ_NEXT(r, entries);
 		else if (r->uid.op && (lookup != -1 || (lookup =
-		    pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
+		    pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, 
+		        pd), 1)) &&
 		    !pf_match_uid(r->uid.op, r->uid.uid[0], r->uid.uid[1],
 		    uid))
 			r = TAILQ_NEXT(r, entries);
+		else if (r->ruid.op && (lookup != -1 || (lookup =
+		    pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+		        pd, inp), 1)) &&
+		    !pf_match_uid(r->ruid.op, r->ruid.uid[0], r->ruid.uid[1],
+		    ruid))
+			r = TAILQ_NEXT(r, entries);
 		else if (r->gid.op && (lookup != -1 || (lookup =
-		    pf_socket_lookup(&uid, &gid, direction, pd), 1)) &&
+		    pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction, 
+		        pd), 1)) &&
 		    !pf_match_gid(r->gid.op, r->gid.gid[0], r->gid.gid[1],
 		    gid))
 			r = TAILQ_NEXT(r, entries);
+		else if (r->rgid.op && (lookup != -1 || (lookup =
+		    pf_socket_lookup(&uid, &gid, &ruid, &rgid, direction,
+		        pd, inp), 1)) &&
+		    !pf_match_gid(r->rgid.op, r->rgid.gid[0], r->rgid.gid[1],
+		    rgid))
+			r = TAILQ_NEXT(r, entries);
 		else if (r->match_tag && !pf_match_tag(m, r, nr, &tag))
 			r = TAILQ_NEXT(r, entries);
 		else if (r->anchorname[0] && r->anchor == NULL)
diff -urN sys/net/pf/pfvar.h /root/pf/pfvar.h
--- sys/net/pf/pfvar.h	2005-02-11 23:25:57.000000000 +0100
+++ /root/pf/pfvar.h	2005-02-28 14:30:35.000000000 +0100
@@ -560,6 +560,8 @@
 
 	struct pf_rule_uid	 uid;
 	struct pf_rule_gid	 gid;
+	struct pf_rule_uid	 ruid;
+	struct pf_rule_gid	 rgid;
 
 	u_int32_t		 rule_flag;
 	u_int8_t		 action;




More information about the Submit mailing list