netfilter: xt_owner: Add supplementary groups option

[ Upstream commit ea6cc2fd8a2b89ab6dcd096ba6dbc1ecbdf26564 ] The XT_OWNER_SUPPL_GROUPS flag causes GIDs specified with XT_OWNER_GID to be also checked in the supplementary groups of a process. f_cred->group_info cannot be modified during its lifetime and f_cred holds a reference to it so it's safe to use. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Stable-dep-of: 7ae836a3d630 ("netfilter: xt_owner: Fix for unsafe access of sk->sk_socket") Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Lukasz Pawelczyk <l.pawelczyk@samsung.com> 2019-05-10 13:46:22 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-12-13 17:42:17 +0100
commit: 22566a81f62b96400fbe75f3f67de3c5b83fe453 (patch)
tree: a2d82788a28306d8e655dfa544a1667a2d4c97d5 /include/uapi/linux
parent: d371b0590c9ccc32bd02f2a3818e9fbd413f10b2 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/include/uapi/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h
index fa3ad84957d5..9e98c09eda32 100644
--- a/include/uapi/linux/netfilter/xt_owner.h
+++ b/include/uapi/linux/netfilter/xt_owner.h
@@ -5,9 +5,10 @@
 #include <linux/types.h>
 
 enum {
-	XT_OWNER_UID    = 1 << 0,
-	XT_OWNER_GID    = 1 << 1,
-	XT_OWNER_SOCKET = 1 << 2,
+	XT_OWNER_UID          = 1 << 0,
+	XT_OWNER_GID          = 1 << 1,
+	XT_OWNER_SOCKET       = 1 << 2,
+	XT_OWNER_SUPPL_GROUPS = 1 << 3,
 };
 
 struct xt_owner_match_info {
author	Lukasz Pawelczyk <l.pawelczyk@samsung.com>	2019-05-10 13:46:22 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-12-13 17:42:17 +0100
commit	22566a81f62b96400fbe75f3f67de3c5b83fe453 (patch)
tree	a2d82788a28306d8e655dfa544a1667a2d4c97d5 /include/uapi/linux
parent	d371b0590c9ccc32bd02f2a3818e9fbd413f10b2 (diff)