net/netfilter/xt_SECMARK.c at v5.11

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / netfilter / xt_SECMARK.c
at v5.11 141 lines 3.2 kB view raw
wrap content
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * Module for modifying the secmark field of the skb, for use by
  4 * security subsystems.
  5 *
  6 * Based on the nfmark match by:
  7 * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
  8 *
  9 * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
 10 */
 11#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 12#include <linux/module.h>
 13#include <linux/security.h>
 14#include <linux/skbuff.h>
 15#include <linux/netfilter/x_tables.h>
 16#include <linux/netfilter/xt_SECMARK.h>
 17
 18MODULE_LICENSE("GPL");
 19MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
 20MODULE_DESCRIPTION("Xtables: packet security mark modification");
 21MODULE_ALIAS("ipt_SECMARK");
 22MODULE_ALIAS("ip6t_SECMARK");
 23
 24static u8 mode;
 25
 26static unsigned int
 27secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 28{
 29	u32 secmark = 0;
 30	const struct xt_secmark_target_info *info = par->targinfo;
 31
 32	switch (mode) {
 33	case SECMARK_MODE_SEL:
 34		secmark = info->secid;
 35		break;
 36	default:
 37		BUG();
 38	}
 39
 40	skb->secmark = secmark;
 41	return XT_CONTINUE;
 42}
 43
 44static int checkentry_lsm(struct xt_secmark_target_info *info)
 45{
 46	int err;
 47
 48	info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
 49	info->secid = 0;
 50
 51	err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
 52				       &info->secid);
 53	if (err) {
 54		if (err == -EINVAL)
 55			pr_info_ratelimited("invalid security context \'%s\'\n",
 56					    info->secctx);
 57		return err;
 58	}
 59
 60	if (!info->secid) {
 61		pr_info_ratelimited("unable to map security context \'%s\'\n",
 62				    info->secctx);
 63		return -ENOENT;
 64	}
 65
 66	err = security_secmark_relabel_packet(info->secid);
 67	if (err) {
 68		pr_info_ratelimited("unable to obtain relabeling permission\n");
 69		return err;
 70	}
 71
 72	security_secmark_refcount_inc();
 73	return 0;
 74}
 75
 76static int secmark_tg_check(const struct xt_tgchk_param *par)
 77{
 78	struct xt_secmark_target_info *info = par->targinfo;
 79	int err;
 80
 81	if (strcmp(par->table, "mangle") != 0 &&
 82	    strcmp(par->table, "security") != 0) {
 83		pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
 84				    par->table);
 85		return -EINVAL;
 86	}
 87
 88	if (mode && mode != info->mode) {
 89		pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n",
 90				    mode, info->mode);
 91		return -EINVAL;
 92	}
 93
 94	switch (info->mode) {
 95	case SECMARK_MODE_SEL:
 96		break;
 97	default:
 98		pr_info_ratelimited("invalid mode: %hu\n", info->mode);
 99		return -EINVAL;
100	}
101
102	err = checkentry_lsm(info);
103	if (err)
104		return err;
105
106	if (!mode)
107		mode = info->mode;
108	return 0;
109}
110
111static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
112{
113	switch (mode) {
114	case SECMARK_MODE_SEL:
115		security_secmark_refcount_dec();
116	}
117}
118
119static struct xt_target secmark_tg_reg __read_mostly = {
120	.name       = "SECMARK",
121	.revision   = 0,
122	.family     = NFPROTO_UNSPEC,
123	.checkentry = secmark_tg_check,
124	.destroy    = secmark_tg_destroy,
125	.target     = secmark_tg,
126	.targetsize = sizeof(struct xt_secmark_target_info),
127	.me         = THIS_MODULE,
128};
129
130static int __init secmark_tg_init(void)
131{
132	return xt_register_target(&secmark_tg_reg);
133}
134
135static void __exit secmark_tg_exit(void)
136{
137	xt_unregister_target(&secmark_tg_reg);
138}
139
140module_init(secmark_tg_init);
141module_exit(secmark_tg_exit);
Configure Feed

Configure Feed
