Blame view
net/netfilter/xt_SECMARK.c
3.11 KB
d2912cb15 treewide: Replace... |
1 |
// SPDX-License-Identifier: GPL-2.0-only |
5e6874cdb [SECMARK]: Add xt... |
2 3 4 5 6 7 8 |
/* * Module for modifying the secmark field of the skb, for use by * security subsystems. * * Based on the nfmark match by: * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> * |
560ee653b netfilter: ip_tab... |
9 |
* (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com> |
5e6874cdb [SECMARK]: Add xt... |
10 |
*/ |
8bee4bad0 netfilter: xt ext... |
11 |
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
5e6874cdb [SECMARK]: Add xt... |
12 |
#include <linux/module.h> |
2606fd1fa secmark: make sec... |
13 |
#include <linux/security.h> |
5e6874cdb [SECMARK]: Add xt... |
14 |
#include <linux/skbuff.h> |
5e6874cdb [SECMARK]: Add xt... |
15 16 17 18 19 |
#include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_SECMARK.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); |
2ae15b64e [NETFILTER]: Upda... |
20 |
MODULE_DESCRIPTION("Xtables: packet security mark modification"); |
5e6874cdb [SECMARK]: Add xt... |
21 22 |
MODULE_ALIAS("ipt_SECMARK"); MODULE_ALIAS("ip6t_SECMARK"); |
5e6874cdb [SECMARK]: Add xt... |
23 |
static u8 mode; |
d3c5ee6d5 [NETFILTER]: x_ta... |
24 |
static unsigned int |
4b560b447 netfilter: xtable... |
25 |
secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) |
5e6874cdb [SECMARK]: Add xt... |
26 27 |
{ u32 secmark = 0; |
7eb355865 netfilter: xtable... |
28 |
const struct xt_secmark_target_info *info = par->targinfo; |
5e6874cdb [SECMARK]: Add xt... |
29 |
|
5e6874cdb [SECMARK]: Add xt... |
30 31 |
switch (mode) { case SECMARK_MODE_SEL: |
2606fd1fa secmark: make sec... |
32 |
secmark = info->secid; |
5e6874cdb [SECMARK]: Add xt... |
33 |
break; |
5e6874cdb [SECMARK]: Add xt... |
34 35 36 |
default: BUG(); } |
3db05fea5 [NETFILTER]: Repl... |
37 |
skb->secmark = secmark; |
5e6874cdb [SECMARK]: Add xt... |
38 39 |
return XT_CONTINUE; } |
2606fd1fa secmark: make sec... |
40 |
static int checkentry_lsm(struct xt_secmark_target_info *info) |
5e6874cdb [SECMARK]: Add xt... |
41 42 |
{ int err; |
601e68e10 [NETFILTER]: Fix ... |
43 |
|
2606fd1fa secmark: make sec... |
44 45 |
info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; info->secid = 0; |
5e6874cdb [SECMARK]: Add xt... |
46 |
|
2606fd1fa secmark: make sec... |
47 48 |
err = security_secctx_to_secid(info->secctx, strlen(info->secctx), &info->secid); |
5e6874cdb [SECMARK]: Add xt... |
49 50 |
if (err) { if (err == -EINVAL) |
b26066447 netfilter: x_tabl... |
51 52 53 |
pr_info_ratelimited("invalid security context \'%s\' ", info->secctx); |
4a5a5c73b netfilter: xtable... |
54 |
return err; |
5e6874cdb [SECMARK]: Add xt... |
55 |
} |
2606fd1fa secmark: make sec... |
56 |
if (!info->secid) { |
b26066447 netfilter: x_tabl... |
57 58 59 |
pr_info_ratelimited("unable to map security context \'%s\' ", info->secctx); |
4a5a5c73b netfilter: xtable... |
60 |
return -ENOENT; |
5e6874cdb [SECMARK]: Add xt... |
61 |
} |
2606fd1fa secmark: make sec... |
62 |
err = security_secmark_relabel_packet(info->secid); |
5e6874cdb [SECMARK]: Add xt... |
63 |
if (err) { |
b26066447 netfilter: x_tabl... |
64 65 |
pr_info_ratelimited("unable to obtain relabeling permission "); |
4a5a5c73b netfilter: xtable... |
66 |
return err; |
5e6874cdb [SECMARK]: Add xt... |
67 |
} |
2606fd1fa secmark: make sec... |
68 |
security_secmark_refcount_inc(); |
4a5a5c73b netfilter: xtable... |
69 |
return 0; |
5e6874cdb [SECMARK]: Add xt... |
70 |
} |
135367b8f netfilter: xtable... |
71 |
static int secmark_tg_check(const struct xt_tgchk_param *par) |
5e6874cdb [SECMARK]: Add xt... |
72 |
{ |
af5d6dc20 netfilter: xtable... |
73 |
struct xt_secmark_target_info *info = par->targinfo; |
4a5a5c73b netfilter: xtable... |
74 |
int err; |
5e6874cdb [SECMARK]: Add xt... |
75 |
|
af5d6dc20 netfilter: xtable... |
76 77 |
if (strcmp(par->table, "mangle") != 0 && strcmp(par->table, "security") != 0) { |
cc48baefd netfilter: x_tabl... |
78 79 80 |
pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\' ", par->table); |
d6b00a534 netfilter: xtable... |
81 |
return -EINVAL; |
560ee653b netfilter: ip_tab... |
82 |
} |
5e6874cdb [SECMARK]: Add xt... |
83 |
if (mode && mode != info->mode) { |
b26066447 netfilter: x_tabl... |
84 85 86 |
pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu ", mode, info->mode); |
d6b00a534 netfilter: xtable... |
87 |
return -EINVAL; |
5e6874cdb [SECMARK]: Add xt... |
88 89 90 91 |
} switch (info->mode) { case SECMARK_MODE_SEL: |
5e6874cdb [SECMARK]: Add xt... |
92 |
break; |
5e6874cdb [SECMARK]: Add xt... |
93 |
default: |
b26066447 netfilter: x_tabl... |
94 95 |
pr_info_ratelimited("invalid mode: %hu ", info->mode); |
d6b00a534 netfilter: xtable... |
96 |
return -EINVAL; |
5e6874cdb [SECMARK]: Add xt... |
97 |
} |
2606fd1fa secmark: make sec... |
98 99 100 |
err = checkentry_lsm(info); if (err) return err; |
5e6874cdb [SECMARK]: Add xt... |
101 102 |
if (!mode) mode = info->mode; |
d6b00a534 netfilter: xtable... |
103 |
return 0; |
5e6874cdb [SECMARK]: Add xt... |
104 |
} |
a2df1648b netfilter: xtable... |
105 |
static void secmark_tg_destroy(const struct xt_tgdtor_param *par) |
d621d35e5 SELinux: Enable d... |
106 107 108 |
{ switch (mode) { case SECMARK_MODE_SEL: |
2606fd1fa secmark: make sec... |
109 |
security_secmark_refcount_dec(); |
d621d35e5 SELinux: Enable d... |
110 111 |
} } |
55b69e910 netfilter: implem... |
112 113 114 115 116 117 118 119 120 |
static struct xt_target secmark_tg_reg __read_mostly = { .name = "SECMARK", .revision = 0, .family = NFPROTO_UNSPEC, .checkentry = secmark_tg_check, .destroy = secmark_tg_destroy, .target = secmark_tg, .targetsize = sizeof(struct xt_secmark_target_info), .me = THIS_MODULE, |
5e6874cdb [SECMARK]: Add xt... |
121 |
}; |
d3c5ee6d5 [NETFILTER]: x_ta... |
122 |
static int __init secmark_tg_init(void) |
5e6874cdb [SECMARK]: Add xt... |
123 |
{ |
55b69e910 netfilter: implem... |
124 |
return xt_register_target(&secmark_tg_reg); |
5e6874cdb [SECMARK]: Add xt... |
125 |
} |
d3c5ee6d5 [NETFILTER]: x_ta... |
126 |
static void __exit secmark_tg_exit(void) |
5e6874cdb [SECMARK]: Add xt... |
127 |
{ |
55b69e910 netfilter: implem... |
128 |
xt_unregister_target(&secmark_tg_reg); |
5e6874cdb [SECMARK]: Add xt... |
129 |
} |
d3c5ee6d5 [NETFILTER]: x_ta... |
130 131 |
module_init(secmark_tg_init); module_exit(secmark_tg_exit); |