From fad407461d995daf1e02d711e46aca45c227d1df Mon Sep 17 00:00:00 2001
From: Camille Oudot <camille.oudot@orange.com>
Date: Thu, 29 Oct 2015 13:55:47 +0100
Subject: [PATCH 1/4] allow non-root users to control the kernel module

use `set_proc_id=1` module option to let the module set ownership on the
/proc/rtpengine filesystem to `proc_uid:proc_gid`
---
 kernel-module/xt_RTPENGINE.c | 43 ++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c
index 3958d2ddf..20c92e15d 100644
--- a/kernel-module/xt_RTPENGINE.c
+++ b/kernel-module/xt_RTPENGINE.c
@@ -82,6 +82,20 @@ struct rtp_parsed;
 struct re_crypto_context;
 
 
+bool set_proc_id = true;
+module_param(set_proc_id, bool, 0);
+MODULE_PARM_DESC(set_proc_id, "set specific user and group ids for the rtpengine procfs tree");
+
+kuid_t proc_kuid;
+uint proc_uid = 0;
+module_param(proc_uid, uint, 0);
+MODULE_PARM_DESC(proc_uid, "rtpengine procfs tree user id");
+
+
+kgid_t proc_kgid;
+uint proc_gid = 0;
+module_param(proc_gid, uint, 0);
+MODULE_PARM_DESC(proc_gid, "rtpengine procfs tree group id");
 
 
 static struct proc_dir_entry *my_proc_root;
@@ -396,26 +410,41 @@ static int table_create_proc(struct rtpengine_table *t, u_int32_t id) {
 	if (!t->proc)
 		return -1;
 
+	if (set_proc_id)
+		proc_set_user(t->proc, proc_kuid, proc_kgid);
+
 	t->status = proc_create_data("status", S_IFREG | S_IRUGO, t->proc, &proc_status_ops,
 		(void *) (unsigned long) id);
 	if (!t->status)
 		return -1;
 
+	if (set_proc_id)
+		proc_set_user(t->status, proc_kuid, proc_kgid);
+
 	t->control = proc_create_data("control", S_IFREG | S_IWUSR | S_IWGRP, t->proc,
 			&proc_control_ops, (void *) (unsigned long) id);
 	if (!t->control)
 		return -1;
 
+	if (set_proc_id)
+		proc_set_user(t->control, proc_kuid, proc_kgid);
+
 	t->list = proc_create_data("list", S_IFREG | S_IRUGO, t->proc,
 			&proc_list_ops, (void *) (unsigned long) id);
 	if (!t->list)
 		return -1;
 
+	if (set_proc_id)
+		proc_set_user(t->list, proc_kuid, proc_kgid);
+
 	t->blist = proc_create_data("blist", S_IFREG | S_IRUGO, t->proc,
 			&proc_blist_ops, (void *) (unsigned long) id);
 	if (!t->blist)
 		return -1;
 
+	if (set_proc_id)
+		proc_set_user(t->blist, proc_kuid, proc_kgid);
+
 	return 0;
 }
 
@@ -2539,6 +2568,11 @@ static int __init init(void) {
 	const char *err;
 
 	printk(KERN_NOTICE "Registering xt_RTPENGINE module - version %s\n", RTPENGINE_VERSION);
+	if (set_proc_id) {
+		printk(KERN_NOTICE "using uid %u, gid %d\n", proc_uid, proc_gid);
+		proc_kuid = KUIDT_INIT(proc_uid);
+		proc_kgid = KGIDT_INIT(proc_gid);
+	}
 
 	rwlock_init(&table_lock);
 
@@ -2547,6 +2581,9 @@ static int __init init(void) {
 	my_proc_root = proc_mkdir("rtpengine", NULL);
 	if (!my_proc_root)
 		goto fail;
+
+	if (set_proc_id)
+		proc_set_user(my_proc_root, proc_kuid, proc_kgid);
 	/* my_proc_root->owner = THIS_MODULE; */
 
 	proc_control = proc_create("control", S_IFREG | S_IWUSR | S_IWGRP, my_proc_root,
@@ -2554,10 +2591,16 @@ static int __init init(void) {
 	if (!proc_control)
 		goto fail;
 
+	if (set_proc_id)
+		proc_set_user(proc_control, proc_kuid, proc_kgid);
+
 	proc_list = proc_create("list", S_IFREG | S_IRUGO, my_proc_root, &proc_main_list_ops);
 	if (!proc_list)
 		goto fail;
 
+	if (set_proc_id)
+		proc_set_user(proc_list, proc_kuid, proc_kgid);
+
 	err = "could not register xtables target";
 	ret = xt_register_targets(xt_rtpengine_regs, ARRAY_SIZE(xt_rtpengine_regs));
 	if (ret)

From 5a8f5c3ab010942013a9fef05c4fad81918cf056 Mon Sep 17 00:00:00 2001
From: Camille Oudot <camille.oudot@orange.com>
Date: Thu, 29 Oct 2015 15:07:45 +0100
Subject: [PATCH 2/4] add possibility to choose rtpengine process user

use RE_USER parameter of el/rtpengine.sysconfig
---
 el/rtpengine.init      | 14 ++++++++++++--
 el/rtpengine.sysconfig |  2 ++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/el/rtpengine.init b/el/rtpengine.init
index 7ab49a33e..70e9f9bf3 100644
--- a/el/rtpengine.init
+++ b/el/rtpengine.init
@@ -180,7 +180,12 @@ start() {
 	then
 		echo "Loading module for in-kernel packet forwarding"
 		rmmod xt_RTPENGINE 2> /dev/null
-		modprobe xt_RTPENGINE
+		if [[ -n "$RE_USER" ]]
+		then
+			modprobe xt_RTPENGINE set_proc_id=1 proc_uid=$(id $RE_USER -u) proc_gid=$(id $RE_USER -g)
+		else
+			modprobe xt_RTPENGINE
+		fi
 		temp=`firewall-cmd --state 2>/dev/null`
 		if [[ $? == 0 ]]
 		then
@@ -212,7 +217,12 @@ CUR_TABLE=$TABLE
 EOF
 	fi
         echo -n $"Starting $prog: "
-        daemon --pidfile=${pidfile} $rtpengine $OPTS
+	if [[ -n "$RE_USER" ]]
+	then
+		daemon --user $RE_USER --pidfile=${pidfile} $rtpengine $OPTS
+	else
+		daemon --pidfile=${pidfile} $rtpengine $OPTS
+	fi
         RETVAL=$?
         echo
         [ $RETVAL = 0 ] && touch ${lockfile}
diff --git a/el/rtpengine.sysconfig b/el/rtpengine.sysconfig
index 43c2dfaf8..11a7b276d 100644
--- a/el/rtpengine.sysconfig
+++ b/el/rtpengine.sysconfig
@@ -40,3 +40,5 @@ LISTEN_UDP=127.0.0.1:2222	# IP address and port combination for UDP
 #REDIS=127.0.0.1:6379
 #REDIS_DB=0
 #B2B_URL=http://127.0.0.1:8080/xmlrpc
+
+#RE_USER=rtpengine	# Run rtpengine as this specific user

From 88ce85e5af022b30d4b75a08090aee62a41036d1 Mon Sep 17 00:00:00 2001
From: Camille Oudot <camille.oudot@orange.com>
Date: Mon, 2 Nov 2015 14:49:03 +0100
Subject: [PATCH 3/4] remove kernel module uid/gid global switch

---
 kernel-module/xt_RTPENGINE.c | 36 +++++++++++-------------------------
 1 file changed, 11 insertions(+), 25 deletions(-)

diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c
index 20c92e15d..de2cc2d76 100644
--- a/kernel-module/xt_RTPENGINE.c
+++ b/kernel-module/xt_RTPENGINE.c
@@ -82,10 +82,6 @@ struct rtp_parsed;
 struct re_crypto_context;
 
 
-bool set_proc_id = true;
-module_param(set_proc_id, bool, 0);
-MODULE_PARM_DESC(set_proc_id, "set specific user and group ids for the rtpengine procfs tree");
-
 kuid_t proc_kuid;
 uint proc_uid = 0;
 module_param(proc_uid, uint, 0);
@@ -410,40 +406,35 @@ static int table_create_proc(struct rtpengine_table *t, u_int32_t id) {
 	if (!t->proc)
 		return -1;
 
-	if (set_proc_id)
-		proc_set_user(t->proc, proc_kuid, proc_kgid);
+	proc_set_user(t->proc, proc_kuid, proc_kgid);
 
 	t->status = proc_create_data("status", S_IFREG | S_IRUGO, t->proc, &proc_status_ops,
 		(void *) (unsigned long) id);
 	if (!t->status)
 		return -1;
 
-	if (set_proc_id)
-		proc_set_user(t->status, proc_kuid, proc_kgid);
+	proc_set_user(t->status, proc_kuid, proc_kgid);
 
 	t->control = proc_create_data("control", S_IFREG | S_IWUSR | S_IWGRP, t->proc,
 			&proc_control_ops, (void *) (unsigned long) id);
 	if (!t->control)
 		return -1;
 
-	if (set_proc_id)
-		proc_set_user(t->control, proc_kuid, proc_kgid);
+	proc_set_user(t->control, proc_kuid, proc_kgid);
 
 	t->list = proc_create_data("list", S_IFREG | S_IRUGO, t->proc,
 			&proc_list_ops, (void *) (unsigned long) id);
 	if (!t->list)
 		return -1;
 
-	if (set_proc_id)
-		proc_set_user(t->list, proc_kuid, proc_kgid);
+	proc_set_user(t->list, proc_kuid, proc_kgid);
 
 	t->blist = proc_create_data("blist", S_IFREG | S_IRUGO, t->proc,
 			&proc_blist_ops, (void *) (unsigned long) id);
 	if (!t->blist)
 		return -1;
 
-	if (set_proc_id)
-		proc_set_user(t->blist, proc_kuid, proc_kgid);
+	proc_set_user(t->blist, proc_kuid, proc_kgid);
 
 	return 0;
 }
@@ -2568,11 +2559,9 @@ static int __init init(void) {
 	const char *err;
 
 	printk(KERN_NOTICE "Registering xt_RTPENGINE module - version %s\n", RTPENGINE_VERSION);
-	if (set_proc_id) {
-		printk(KERN_NOTICE "using uid %u, gid %d\n", proc_uid, proc_gid);
-		proc_kuid = KUIDT_INIT(proc_uid);
-		proc_kgid = KGIDT_INIT(proc_gid);
-	}
+	printk(KERN_DEBUG "using uid %u, gid %d\n", proc_uid, proc_gid);
+	proc_kuid = KUIDT_INIT(proc_uid);
+	proc_kgid = KGIDT_INIT(proc_gid);
 
 	rwlock_init(&table_lock);
 
@@ -2582,8 +2571,7 @@ static int __init init(void) {
 	if (!my_proc_root)
 		goto fail;
 
-	if (set_proc_id)
-		proc_set_user(my_proc_root, proc_kuid, proc_kgid);
+	proc_set_user(my_proc_root, proc_kuid, proc_kgid);
 	/* my_proc_root->owner = THIS_MODULE; */
 
 	proc_control = proc_create("control", S_IFREG | S_IWUSR | S_IWGRP, my_proc_root,
@@ -2591,15 +2579,13 @@ static int __init init(void) {
 	if (!proc_control)
 		goto fail;
 
-	if (set_proc_id)
-		proc_set_user(proc_control, proc_kuid, proc_kgid);
+	proc_set_user(proc_control, proc_kuid, proc_kgid);
 
 	proc_list = proc_create("list", S_IFREG | S_IRUGO, my_proc_root, &proc_main_list_ops);
 	if (!proc_list)
 		goto fail;
 
-	if (set_proc_id)
-		proc_set_user(proc_list, proc_kuid, proc_kgid);
+	proc_set_user(proc_list, proc_kuid, proc_kgid);
 
 	err = "could not register xtables target";
 	ret = xt_register_targets(xt_rtpengine_regs, ARRAY_SIZE(xt_rtpengine_regs));

From 6f6a70392da74d6507c205f8ad9774873b5b95e4 Mon Sep 17 00:00:00 2001
From: Camille Oudot <camille.oudot@orange.com>
Date: Thu, 26 Nov 2015 15:39:26 +0100
Subject: [PATCH 4/4] add option to set the group owning /proc/rtpengine

---
 el/rtpengine.init      | 8 +++++++-
 el/rtpengine.sysconfig | 2 ++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/el/rtpengine.init b/el/rtpengine.init
index 70e9f9bf3..5b584eb59 100644
--- a/el/rtpengine.init
+++ b/el/rtpengine.init
@@ -182,7 +182,13 @@ start() {
 		rmmod xt_RTPENGINE 2> /dev/null
 		if [[ -n "$RE_USER" ]]
 		then
-			modprobe xt_RTPENGINE set_proc_id=1 proc_uid=$(id $RE_USER -u) proc_gid=$(id $RE_USER -g)
+			if [[ -n "$RE_GROUP" ]]
+			then
+				proc_gid=$(grep ^$RE_GROUP: /etc/group | cut -f3 -d:)
+			else
+				proc_gid=$(id $RE_USER -g)
+			fi
+			modprobe xt_RTPENGINE proc_uid=$(id $RE_USER -u) proc_gid=$proc_gid
 		else
 			modprobe xt_RTPENGINE
 		fi
diff --git a/el/rtpengine.sysconfig b/el/rtpengine.sysconfig
index 11a7b276d..b878e6aff 100644
--- a/el/rtpengine.sysconfig
+++ b/el/rtpengine.sysconfig
@@ -42,3 +42,5 @@ LISTEN_UDP=127.0.0.1:2222	# IP address and port combination for UDP
 #B2B_URL=http://127.0.0.1:8080/xmlrpc
 
 #RE_USER=rtpengine	# Run rtpengine as this specific user
+
+#RE_GROUP=rtpengine	# allow this group to control rtpengine in kernel mode