4c1567f29a
This is a workaround to make IPAddressDeny=any/IPAddressAllow=any work for non-root users that have CAP_NET_ADMIN. "any" was chosen since all or nothing network access is one of the most common use cases for isolation. Allocating BPF LPM TRIE maps require CAP_SYS_ADMIN while BPF_PROG_TYPE_CGROUP_SKB only needs CAP_NET_ADMIN. In the case of IPAddressXYZ="any" we can just consistently return false/true to avoid allocating the map and limit the user to having CAP_NET_ADMIN.
26 lines
735 B
C
26 lines
735 B
C
/* SPDX-License-Identifier: LGPL-2.1+ */
|
|
#pragma once
|
|
|
|
#include "conf-parser.h"
|
|
#include "in-addr-util.h"
|
|
#include "list.h"
|
|
|
|
typedef struct IPAddressAccessItem IPAddressAccessItem;
|
|
|
|
struct IPAddressAccessItem {
|
|
int family;
|
|
unsigned char prefixlen;
|
|
union in_addr_union address;
|
|
LIST_FIELDS(IPAddressAccessItem, items);
|
|
};
|
|
|
|
CONFIG_PARSER_PROTOTYPE(config_parse_ip_address_access);
|
|
|
|
IPAddressAccessItem* ip_address_access_free_all(IPAddressAccessItem *first);
|
|
|
|
IPAddressAccessItem* ip_address_access_reduce(IPAddressAccessItem *first);
|
|
|
|
/* Returns true if a list consists of only the two items necessary for "any"
|
|
* (0.0.0.0/0 and ::/0). */
|
|
bool ip_address_access_item_is_any(IPAddressAccessItem *first);
|