Eric Lee / smarc-fsl-linux-kernel

Blame view

net/netfilter/xt_SECMARK.c 3.13 KB

d2912cb15 Thomas Gleixner treewide: Replace...	1	// SPDX-License-Identifier: GPL-2.0-only
5e6874cdb James Morris [SECMARK]: Add xt...	2 3 4 5 6 7 8	/* * Module for modifying the secmark field of the skb, for use by * security subsystems. * * Based on the nfmark match by: * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> *
560ee653b James Morris netfilter: ip_tab...	9	* (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
5e6874cdb James Morris [SECMARK]: Add xt...	10	*/
8bee4bad0 Jan Engelhardt netfilter: xt ext...	11	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
5e6874cdb James Morris [SECMARK]: Add xt...	12	#include <linux/module.h>
2606fd1fa Eric Paris secmark: make sec...	13	#include <linux/security.h>
5e6874cdb James Morris [SECMARK]: Add xt...	14	#include <linux/skbuff.h>
5e6874cdb James Morris [SECMARK]: Add xt...	15 16 17 18 19	#include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_SECMARK.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
2ae15b64e Jan Engelhardt [NETFILTER]: Upda...	20	MODULE_DESCRIPTION("Xtables: packet security mark modification");
5e6874cdb James Morris [SECMARK]: Add xt...	21 22 23 24 25 26	MODULE_ALIAS("ipt_SECMARK"); MODULE_ALIAS("ip6t_SECMARK"); #define PFX "SECMARK: " static u8 mode;
d3c5ee6d5 Jan Engelhardt [NETFILTER]: x_ta...	27	static unsigned int
4b560b447 Jan Engelhardt netfilter: xtable...	28	secmark_tg(struct sk_buff skb, const struct xt_action_param par)
5e6874cdb James Morris [SECMARK]: Add xt...	29 30	{ u32 secmark = 0;
7eb355865 Jan Engelhardt netfilter: xtable...	31	const struct xt_secmark_target_info *info = par->targinfo;
5e6874cdb James Morris [SECMARK]: Add xt...	32
5e6874cdb James Morris [SECMARK]: Add xt...	33 34	switch (mode) { case SECMARK_MODE_SEL:
2606fd1fa Eric Paris secmark: make sec...	35	secmark = info->secid;
5e6874cdb James Morris [SECMARK]: Add xt...	36	break;
5e6874cdb James Morris [SECMARK]: Add xt...	37 38 39	default: BUG(); }
3db05fea5 Herbert Xu [NETFILTER]: Repl...	40	skb->secmark = secmark;
5e6874cdb James Morris [SECMARK]: Add xt...	41 42	return XT_CONTINUE; }
2606fd1fa Eric Paris secmark: make sec...	43	static int checkentry_lsm(struct xt_secmark_target_info *info)
5e6874cdb James Morris [SECMARK]: Add xt...	44 45	{ int err;
601e68e10 YOSHIFUJI Hideaki [NETFILTER]: Fix ...	46
2606fd1fa Eric Paris secmark: make sec...	47 48	info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; info->secid = 0;
5e6874cdb James Morris [SECMARK]: Add xt...	49
2606fd1fa Eric Paris secmark: make sec...	50 51	err = security_secctx_to_secid(info->secctx, strlen(info->secctx), &info->secid);
5e6874cdb James Morris [SECMARK]: Add xt...	52 53	if (err) { if (err == -EINVAL)
b26066447 Florian Westphal netfilter: x_tabl...	54 55 56	pr_info_ratelimited("invalid security context \'%s\' ", info->secctx);
4a5a5c73b Jan Engelhardt netfilter: xtable...	57	return err;
5e6874cdb James Morris [SECMARK]: Add xt...	58	}
2606fd1fa Eric Paris secmark: make sec...	59	if (!info->secid) {
b26066447 Florian Westphal netfilter: x_tabl...	60 61 62	pr_info_ratelimited("unable to map security context \'%s\' ", info->secctx);
4a5a5c73b Jan Engelhardt netfilter: xtable...	63	return -ENOENT;
5e6874cdb James Morris [SECMARK]: Add xt...	64	}
2606fd1fa Eric Paris secmark: make sec...	65	err = security_secmark_relabel_packet(info->secid);
5e6874cdb James Morris [SECMARK]: Add xt...	66	if (err) {
b26066447 Florian Westphal netfilter: x_tabl...	67 68	pr_info_ratelimited("unable to obtain relabeling permission ");
4a5a5c73b Jan Engelhardt netfilter: xtable...	69	return err;
5e6874cdb James Morris [SECMARK]: Add xt...	70	}
2606fd1fa Eric Paris secmark: make sec...	71	security_secmark_refcount_inc();
4a5a5c73b Jan Engelhardt netfilter: xtable...	72	return 0;
5e6874cdb James Morris [SECMARK]: Add xt...	73	}
135367b8f Jan Engelhardt netfilter: xtable...	74	static int secmark_tg_check(const struct xt_tgchk_param *par)
5e6874cdb James Morris [SECMARK]: Add xt...	75	{
af5d6dc20 Jan Engelhardt netfilter: xtable...	76	struct xt_secmark_target_info *info = par->targinfo;
4a5a5c73b Jan Engelhardt netfilter: xtable...	77	int err;
5e6874cdb James Morris [SECMARK]: Add xt...	78
af5d6dc20 Jan Engelhardt netfilter: xtable...	79 80	if (strcmp(par->table, "mangle") != 0 && strcmp(par->table, "security") != 0) {
cc48baefd Florian Westphal netfilter: x_tabl...	81 82 83	pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\' ", par->table);
d6b00a534 Jan Engelhardt netfilter: xtable...	84	return -EINVAL;
560ee653b James Morris netfilter: ip_tab...	85	}
5e6874cdb James Morris [SECMARK]: Add xt...	86	if (mode && mode != info->mode) {
b26066447 Florian Westphal netfilter: x_tabl...	87 88 89	pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu ", mode, info->mode);
d6b00a534 Jan Engelhardt netfilter: xtable...	90	return -EINVAL;
5e6874cdb James Morris [SECMARK]: Add xt...	91 92 93 94	} switch (info->mode) { case SECMARK_MODE_SEL:
5e6874cdb James Morris [SECMARK]: Add xt...	95	break;
5e6874cdb James Morris [SECMARK]: Add xt...	96	default:
b26066447 Florian Westphal netfilter: x_tabl...	97 98	pr_info_ratelimited("invalid mode: %hu ", info->mode);
d6b00a534 Jan Engelhardt netfilter: xtable...	99	return -EINVAL;
5e6874cdb James Morris [SECMARK]: Add xt...	100	}
2606fd1fa Eric Paris secmark: make sec...	101 102 103	err = checkentry_lsm(info); if (err) return err;
5e6874cdb James Morris [SECMARK]: Add xt...	104 105	if (!mode) mode = info->mode;
d6b00a534 Jan Engelhardt netfilter: xtable...	106	return 0;
5e6874cdb James Morris [SECMARK]: Add xt...	107	}
a2df1648b Jan Engelhardt netfilter: xtable...	108	static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
d621d35e5 Paul Moore SELinux: Enable d...	109 110 111	{ switch (mode) { case SECMARK_MODE_SEL:
2606fd1fa Eric Paris secmark: make sec...	112	security_secmark_refcount_dec();
d621d35e5 Paul Moore SELinux: Enable d...	113 114	} }
55b69e910 Jan Engelhardt netfilter: implem...	115 116 117 118 119 120 121 122 123	static struct xt_target secmark_tg_reg __read_mostly = { .name = "SECMARK", .revision = 0, .family = NFPROTO_UNSPEC, .checkentry = secmark_tg_check, .destroy = secmark_tg_destroy, .target = secmark_tg, .targetsize = sizeof(struct xt_secmark_target_info), .me = THIS_MODULE,
5e6874cdb James Morris [SECMARK]: Add xt...	124	};
d3c5ee6d5 Jan Engelhardt [NETFILTER]: x_ta...	125	static int __init secmark_tg_init(void)
5e6874cdb James Morris [SECMARK]: Add xt...	126	{
55b69e910 Jan Engelhardt netfilter: implem...	127	return xt_register_target(&secmark_tg_reg);
5e6874cdb James Morris [SECMARK]: Add xt...	128	}
d3c5ee6d5 Jan Engelhardt [NETFILTER]: x_ta...	129	static void __exit secmark_tg_exit(void)
5e6874cdb James Morris [SECMARK]: Add xt...	130	{
55b69e910 Jan Engelhardt netfilter: implem...	131	xt_unregister_target(&secmark_tg_reg);
5e6874cdb James Morris [SECMARK]: Add xt...	132	}
d3c5ee6d5 Jan Engelhardt [NETFILTER]: x_ta...	133 134	module_init(secmark_tg_init); module_exit(secmark_tg_exit);