Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 | /*
* Module for modifying the secmark field of the skb, for use by
* security subsystems.
*
* Based on the nfmark match by:
* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
*
* (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/selinux.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_SECMARK.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
MODULE_DESCRIPTION("Xtables: packet security mark modification");
MODULE_ALIAS("ipt_SECMARK");
MODULE_ALIAS("ip6t_SECMARK");
#define PFX "SECMARK: "
static u8 mode;
static unsigned int
secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
u32 secmark = 0;
const struct xt_secmark_target_info *info = par->targinfo;
BUG_ON(info->mode != mode);
switch (mode) {
case SECMARK_MODE_SEL:
secmark = info->u.sel.selsid;
break;
default:
BUG();
}
skb->secmark = secmark;
return XT_CONTINUE;
}
static bool checkentry_selinux(struct xt_secmark_target_info *info)
{
int err;
struct xt_secmark_target_selinux_info *sel = &info->u.sel;
sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
err = selinux_string_to_sid(sel->selctx, &sel->selsid);
if (err) {
if (err == -EINVAL)
printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n",
sel->selctx);
return false;
}
if (!sel->selsid) {
printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n",
sel->selctx);
return false;
}
err = selinux_secmark_relabel_packet_permission(sel->selsid);
if (err) {
printk(KERN_INFO PFX "unable to obtain relabeling permission\n");
return false;
}
selinux_secmark_refcount_inc();
return true;
}
static bool secmark_tg_check(const struct xt_tgchk_param *par)
{
struct xt_secmark_target_info *info = par->targinfo;
if (strcmp(par->table, "mangle") != 0 &&
strcmp(par->table, "security") != 0) {
printk(KERN_INFO PFX "target only valid in the \'mangle\' "
"or \'security\' tables, not \'%s\'.\n", par->table);
return false;
}
if (mode && mode != info->mode) {
printk(KERN_INFO PFX "mode already set to %hu cannot mix with "
"rules for mode %hu\n", mode, info->mode);
return false;
}
switch (info->mode) {
case SECMARK_MODE_SEL:
if (!checkentry_selinux(info))
return false;
break;
default:
printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
return false;
}
if (!mode)
mode = info->mode;
return true;
}
static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
{
switch (mode) {
case SECMARK_MODE_SEL:
selinux_secmark_refcount_dec();
}
}
static struct xt_target secmark_tg_reg __read_mostly = {
.name = "SECMARK",
.revision = 0,
.family = NFPROTO_UNSPEC,
.checkentry = secmark_tg_check,
.destroy = secmark_tg_destroy,
.target = secmark_tg,
.targetsize = sizeof(struct xt_secmark_target_info),
.me = THIS_MODULE,
};
static int __init secmark_tg_init(void)
{
return xt_register_target(&secmark_tg_reg);
}
static void __exit secmark_tg_exit(void)
{
xt_unregister_target(&secmark_tg_reg);
}
module_init(secmark_tg_init);
module_exit(secmark_tg_exit);
|