Blame view
net/netfilter/xt_SECMARK.c
3.23 KB
5e6874cdb [SECMARK]: Add xt... |
1 2 3 4 5 6 7 |
/* * Module for modifying the secmark field of the skb, for use by * security subsystems. * * Based on the nfmark match by: * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> * |
560ee653b netfilter: ip_tab... |
8 |
* (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com> |
5e6874cdb [SECMARK]: Add xt... |
9 10 11 12 13 14 |
* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * */ |
8bee4bad0 netfilter: xt ext... |
15 |
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
5e6874cdb [SECMARK]: Add xt... |
16 |
#include <linux/module.h> |
2606fd1fa secmark: make sec... |
17 |
#include <linux/security.h> |
5e6874cdb [SECMARK]: Add xt... |
18 |
#include <linux/skbuff.h> |
5e6874cdb [SECMARK]: Add xt... |
19 20 21 22 23 |
#include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_SECMARK.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); |
2ae15b64e [NETFILTER]: Upda... |
24 |
MODULE_DESCRIPTION("Xtables: packet security mark modification"); |
5e6874cdb [SECMARK]: Add xt... |
25 26 27 28 29 30 |
MODULE_ALIAS("ipt_SECMARK"); MODULE_ALIAS("ip6t_SECMARK"); #define PFX "SECMARK: " static u8 mode; |
d3c5ee6d5 [NETFILTER]: x_ta... |
31 |
static unsigned int |
4b560b447 netfilter: xtable... |
32 |
secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) |
5e6874cdb [SECMARK]: Add xt... |
33 34 |
{ u32 secmark = 0; |
7eb355865 netfilter: xtable... |
35 |
const struct xt_secmark_target_info *info = par->targinfo; |
5e6874cdb [SECMARK]: Add xt... |
36 37 38 39 40 |
BUG_ON(info->mode != mode); switch (mode) { case SECMARK_MODE_SEL: |
2606fd1fa secmark: make sec... |
41 |
secmark = info->secid; |
5e6874cdb [SECMARK]: Add xt... |
42 |
break; |
5e6874cdb [SECMARK]: Add xt... |
43 44 45 |
default: BUG(); } |
3db05fea5 [NETFILTER]: Repl... |
46 |
skb->secmark = secmark; |
5e6874cdb [SECMARK]: Add xt... |
47 48 |
return XT_CONTINUE; } |
2606fd1fa secmark: make sec... |
49 |
static int checkentry_lsm(struct xt_secmark_target_info *info) |
5e6874cdb [SECMARK]: Add xt... |
50 51 |
{ int err; |
601e68e10 [NETFILTER]: Fix ... |
52 |
|
2606fd1fa secmark: make sec... |
53 54 |
info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; info->secid = 0; |
5e6874cdb [SECMARK]: Add xt... |
55 |
|
2606fd1fa secmark: make sec... |
56 57 |
err = security_secctx_to_secid(info->secctx, strlen(info->secctx), &info->secid); |
5e6874cdb [SECMARK]: Add xt... |
58 59 |
if (err) { if (err == -EINVAL) |
2606fd1fa secmark: make sec... |
60 61 |
pr_info("invalid security context \'%s\' ", info->secctx); |
4a5a5c73b netfilter: xtable... |
62 |
return err; |
5e6874cdb [SECMARK]: Add xt... |
63 |
} |
2606fd1fa secmark: make sec... |
64 65 66 |
if (!info->secid) { pr_info("unable to map security context \'%s\' ", info->secctx); |
4a5a5c73b netfilter: xtable... |
67 |
return -ENOENT; |
5e6874cdb [SECMARK]: Add xt... |
68 |
} |
2606fd1fa secmark: make sec... |
69 |
err = security_secmark_relabel_packet(info->secid); |
5e6874cdb [SECMARK]: Add xt... |
70 |
if (err) { |
8bee4bad0 netfilter: xt ext... |
71 72 |
pr_info("unable to obtain relabeling permission "); |
4a5a5c73b netfilter: xtable... |
73 |
return err; |
5e6874cdb [SECMARK]: Add xt... |
74 |
} |
2606fd1fa secmark: make sec... |
75 |
security_secmark_refcount_inc(); |
4a5a5c73b netfilter: xtable... |
76 |
return 0; |
5e6874cdb [SECMARK]: Add xt... |
77 |
} |
135367b8f netfilter: xtable... |
78 |
static int secmark_tg_check(const struct xt_tgchk_param *par) |
5e6874cdb [SECMARK]: Add xt... |
79 |
{ |
af5d6dc20 netfilter: xtable... |
80 |
struct xt_secmark_target_info *info = par->targinfo; |
4a5a5c73b netfilter: xtable... |
81 |
int err; |
5e6874cdb [SECMARK]: Add xt... |
82 |
|
af5d6dc20 netfilter: xtable... |
83 84 |
if (strcmp(par->table, "mangle") != 0 && strcmp(par->table, "security") != 0) { |
8bee4bad0 netfilter: xt ext... |
85 86 87 |
pr_info("target only valid in the \'mangle\' " "or \'security\' tables, not \'%s\'. ", par->table); |
d6b00a534 netfilter: xtable... |
88 |
return -EINVAL; |
560ee653b netfilter: ip_tab... |
89 |
} |
5e6874cdb [SECMARK]: Add xt... |
90 |
if (mode && mode != info->mode) { |
8bee4bad0 netfilter: xt ext... |
91 92 93 |
pr_info("mode already set to %hu cannot mix with " "rules for mode %hu ", mode, info->mode); |
d6b00a534 netfilter: xtable... |
94 |
return -EINVAL; |
5e6874cdb [SECMARK]: Add xt... |
95 96 97 98 |
} switch (info->mode) { case SECMARK_MODE_SEL: |
5e6874cdb [SECMARK]: Add xt... |
99 |
break; |
5e6874cdb [SECMARK]: Add xt... |
100 |
default: |
8bee4bad0 netfilter: xt ext... |
101 102 |
pr_info("invalid mode: %hu ", info->mode); |
d6b00a534 netfilter: xtable... |
103 |
return -EINVAL; |
5e6874cdb [SECMARK]: Add xt... |
104 |
} |
2606fd1fa secmark: make sec... |
105 106 107 |
err = checkentry_lsm(info); if (err) return err; |
5e6874cdb [SECMARK]: Add xt... |
108 109 |
if (!mode) mode = info->mode; |
d6b00a534 netfilter: xtable... |
110 |
return 0; |
5e6874cdb [SECMARK]: Add xt... |
111 |
} |
a2df1648b netfilter: xtable... |
112 |
static void secmark_tg_destroy(const struct xt_tgdtor_param *par) |
d621d35e5 SELinux: Enable d... |
113 114 115 |
{ switch (mode) { case SECMARK_MODE_SEL: |
2606fd1fa secmark: make sec... |
116 |
security_secmark_refcount_dec(); |
d621d35e5 SELinux: Enable d... |
117 118 |
} } |
55b69e910 netfilter: implem... |
119 120 121 122 123 124 125 126 127 |
static struct xt_target secmark_tg_reg __read_mostly = { .name = "SECMARK", .revision = 0, .family = NFPROTO_UNSPEC, .checkentry = secmark_tg_check, .destroy = secmark_tg_destroy, .target = secmark_tg, .targetsize = sizeof(struct xt_secmark_target_info), .me = THIS_MODULE, |
5e6874cdb [SECMARK]: Add xt... |
128 |
}; |
d3c5ee6d5 [NETFILTER]: x_ta... |
129 |
static int __init secmark_tg_init(void) |
5e6874cdb [SECMARK]: Add xt... |
130 |
{ |
55b69e910 netfilter: implem... |
131 |
return xt_register_target(&secmark_tg_reg); |
5e6874cdb [SECMARK]: Add xt... |
132 |
} |
d3c5ee6d5 [NETFILTER]: x_ta... |
133 |
static void __exit secmark_tg_exit(void) |
5e6874cdb [SECMARK]: Add xt... |
134 |
{ |
55b69e910 netfilter: implem... |
135 |
xt_unregister_target(&secmark_tg_reg); |
5e6874cdb [SECMARK]: Add xt... |
136 |
} |
d3c5ee6d5 [NETFILTER]: x_ta... |
137 138 |
module_init(secmark_tg_init); module_exit(secmark_tg_exit); |