Commit | Line | Data |
---|---|---|
5e6874cd JM |
1 | /* |
2 | * Module for modifying the secmark field of the skb, for use by | |
3 | * security subsystems. | |
4 | * | |
5 | * Based on the nfmark match by: | |
6 | * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> | |
7 | * | |
8 | * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> | |
9 | * | |
10 | * This program is free software; you can redistribute it and/or modify | |
11 | * it under the terms of the GNU General Public License version 2 as | |
12 | * published by the Free Software Foundation. | |
13 | * | |
14 | */ | |
15 | #include <linux/module.h> | |
16 | #include <linux/skbuff.h> | |
17 | #include <linux/selinux.h> | |
18 | #include <linux/netfilter/x_tables.h> | |
19 | #include <linux/netfilter/xt_SECMARK.h> | |
20 | ||
21 | MODULE_LICENSE("GPL"); | |
22 | MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); | |
23 | MODULE_DESCRIPTION("ip[6]tables SECMARK modification module"); | |
24 | MODULE_ALIAS("ipt_SECMARK"); | |
25 | MODULE_ALIAS("ip6t_SECMARK"); | |
26 | ||
27 | #define PFX "SECMARK: " | |
28 | ||
29 | static u8 mode; | |
30 | ||
31 | static unsigned int target(struct sk_buff **pskb, const struct net_device *in, | |
32 | const struct net_device *out, unsigned int hooknum, | |
33 | const struct xt_target *target, | |
fe1cb108 | 34 | const void *targinfo) |
5e6874cd JM |
35 | { |
36 | u32 secmark = 0; | |
37 | const struct xt_secmark_target_info *info = targinfo; | |
38 | ||
39 | BUG_ON(info->mode != mode); | |
40 | ||
41 | switch (mode) { | |
42 | case SECMARK_MODE_SEL: | |
43 | secmark = info->u.sel.selsid; | |
44 | break; | |
45 | ||
46 | default: | |
47 | BUG(); | |
48 | } | |
49 | ||
50 | if ((*pskb)->secmark != secmark) | |
51 | (*pskb)->secmark = secmark; | |
52 | ||
53 | return XT_CONTINUE; | |
54 | } | |
55 | ||
56 | static int checkentry_selinux(struct xt_secmark_target_info *info) | |
57 | { | |
58 | int err; | |
59 | struct xt_secmark_target_selinux_info *sel = &info->u.sel; | |
a280b899 JM |
60 | |
61 | sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0'; | |
5e6874cd JM |
62 | |
63 | err = selinux_string_to_sid(sel->selctx, &sel->selsid); | |
64 | if (err) { | |
65 | if (err == -EINVAL) | |
66 | printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n", | |
67 | sel->selctx); | |
68 | return 0; | |
69 | } | |
70 | ||
71 | if (!sel->selsid) { | |
72 | printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n", | |
73 | sel->selctx); | |
74 | return 0; | |
75 | } | |
76 | ||
77 | err = selinux_relabel_packet_permission(sel->selsid); | |
78 | if (err) { | |
79 | printk(KERN_INFO PFX "unable to obtain relabeling permission\n"); | |
80 | return 0; | |
81 | } | |
82 | ||
83 | return 1; | |
84 | } | |
85 | ||
86 | static int checkentry(const char *tablename, const void *entry, | |
87 | const struct xt_target *target, void *targinfo, | |
efa74165 | 88 | unsigned int hook_mask) |
5e6874cd JM |
89 | { |
90 | struct xt_secmark_target_info *info = targinfo; | |
91 | ||
92 | if (mode && mode != info->mode) { | |
93 | printk(KERN_INFO PFX "mode already set to %hu cannot mix with " | |
94 | "rules for mode %hu\n", mode, info->mode); | |
95 | return 0; | |
96 | } | |
97 | ||
98 | switch (info->mode) { | |
99 | case SECMARK_MODE_SEL: | |
100 | if (!checkentry_selinux(info)) | |
101 | return 0; | |
102 | break; | |
103 | ||
104 | default: | |
105 | printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode); | |
106 | return 0; | |
107 | } | |
108 | ||
109 | if (!mode) | |
110 | mode = info->mode; | |
111 | return 1; | |
112 | } | |
113 | ||
4470bbc7 PM |
114 | static struct xt_target xt_secmark_target = { |
115 | { | |
116 | .name = "SECMARK", | |
117 | .family = AF_INET, | |
118 | .checkentry = checkentry, | |
119 | .target = target, | |
120 | .targetsize = sizeof(struct xt_secmark_target_info), | |
121 | .table = "mangle", | |
122 | .me = THIS_MODULE, | |
123 | }, | |
124 | { | |
125 | .name = "SECMARK", | |
126 | .family = AF_INET6, | |
127 | .checkentry = checkentry, | |
128 | .target = target, | |
129 | .targetsize = sizeof(struct xt_secmark_target_info), | |
130 | .table = "mangle", | |
131 | .me = THIS_MODULE, | |
132 | }, | |
5e6874cd JM |
133 | }; |
134 | ||
135 | static int __init xt_secmark_init(void) | |
136 | { | |
4470bbc7 PM |
137 | return xt_register_targets(xt_secmark_target, |
138 | ARRAY_SIZE(xt_secmark_target)); | |
5e6874cd JM |
139 | } |
140 | ||
141 | static void __exit xt_secmark_fini(void) | |
142 | { | |
4470bbc7 | 143 | xt_unregister_targets(xt_secmark_target, ARRAY_SIZE(xt_secmark_target)); |
5e6874cd JM |
144 | } |
145 | ||
146 | module_init(xt_secmark_init); | |
147 | module_exit(xt_secmark_fini); |