conntrack: export lsm context rather than internal secid via netlink

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The conntrack code can export the internal secid to userspace. These are
dynamic, can change on lsm changes, and have no meaning in userspace. We
should instead be sending lsm contexts to userspace instead. This patch sends
the secctx (rather than secid) to userspace over the netlink socket. We use a
new field CTA_SECCTX and stop using the the old CTA_SECMARK field since it did
not send particularly useful information.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: James Morris <jmorris@namei.org>

authored by

Eric Paris and committed by

James Morris 15 years ago 1cc63249 d5630b9d

+45 -11

2 changed files

expand all

include

linux

netfilter

nfnetlink_conntrack.h

net

netfilter

nf_conntrack_netlink.c

+9 -1

include/linux/netfilter/nfnetlink_conntrack.h

··· 39 39 CTA_TUPLE_MASTER, 40 40 CTA_NAT_SEQ_ADJ_ORIG, 41 41 CTA_NAT_SEQ_ADJ_REPLY, 42 - CTA_SECMARK, 42 + CTA_SECMARK, /* obsolete */ 43 43 CTA_ZONE, 44 + CTA_SECCTX, 44 45 __CTA_MAX 45 46 }; 46 47 #define CTA_MAX (__CTA_MAX - 1) ··· 172 171 __CTA_HELP_MAX 173 172 }; 174 173 #define CTA_HELP_MAX (__CTA_HELP_MAX - 1) 174 + 175 + enum ctattr_secctx { 176 + CTA_SECCTX_UNSPEC, 177 + CTA_SECCTX_NAME, 178 + __CTA_SECCTX_MAX 179 + }; 180 + #define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1) 175 181 176 182 #endif /* _IPCONNTRACK_NETLINK_H */

+36 -10

net/netfilter/nf_conntrack_netlink.c

··· 22 22 #include <linux/rculist_nulls.h> 23 23 #include <linux/types.h> 24 24 #include <linux/timer.h> 25 + #include <linux/security.h> 25 26 #include <linux/skbuff.h> 26 27 #include <linux/errno.h> 27 28 #include <linux/netlink.h> ··· 246 245 247 246 #ifdef CONFIG_NF_CONNTRACK_SECMARK 248 247 static inline int 249 - ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct) 248 + ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) 250 249 { 251 - NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark)); 252 - return 0; 250 + struct nlattr *nest_secctx; 251 + int len, ret; 252 + char *secctx; 253 253 254 + ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 255 + if (ret) 256 + return ret; 257 + 258 + ret = -1; 259 + nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED); 260 + if (!nest_secctx) 261 + goto nla_put_failure; 262 + 263 + NLA_PUT_STRING(skb, CTA_SECCTX_NAME, secctx); 264 + nla_nest_end(skb, nest_secctx); 265 + 266 + ret = 0; 254 267 nla_put_failure: 255 - return -1; 268 + security_release_secctx(secctx, len); 269 + return ret; 256 270 } 257 271 #else 258 - #define ctnetlink_dump_secmark(a, b) (0) 272 + #define ctnetlink_dump_secctx(a, b) (0) 259 273 #endif 260 274 261 275 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) ··· 407 391 ctnetlink_dump_protoinfo(skb, ct) < 0 || 408 392 ctnetlink_dump_helpinfo(skb, ct) < 0 || 409 393 ctnetlink_dump_mark(skb, ct) < 0 || 410 - ctnetlink_dump_secmark(skb, ct) < 0 || 394 + ctnetlink_dump_secctx(skb, ct) < 0 || 411 395 ctnetlink_dump_id(skb, ct) < 0 || 412 396 ctnetlink_dump_use(skb, ct) < 0 || 413 397 ctnetlink_dump_master(skb, ct) < 0 || ··· 453 437 ; 454 438 } 455 439 440 + #ifdef CONFIG_NF_CONNTRACK_SECMARK 441 + static int ctnetlink_nlmsg_secctx_size(const struct nf_conn *ct) 442 + { 443 + int len; 444 + 445 + security_secid_to_secctx(ct->secmark, NULL, &len); 446 + 447 + return sizeof(char) * len; 448 + } 449 + #endif 450 + 456 451 static inline size_t 457 452 ctnetlink_nlmsg_size(const struct nf_conn *ct) 458 453 { ··· 480 453 + nla_total_size(0) /* CTA_HELP */ 481 454 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 482 455 #ifdef CONFIG_NF_CONNTRACK_SECMARK 483 - + nla_total_size(sizeof(u_int32_t)) /* CTA_SECMARK */ 456 + + nla_total_size(0) /* CTA_SECCTX */ 457 + + nla_total_size(ctnetlink_nlmsg_secctx_size(ct)) /* CTA_SECCTX_NAME */ 484 458 #endif 485 459 #ifdef CONFIG_NF_NAT_NEEDED 486 460 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ ··· 582 554 && ctnetlink_dump_helpinfo(skb, ct) < 0) 583 555 goto nla_put_failure; 584 556 585 - #ifdef CONFIG_NF_CONNTRACK_SECMARK 586 557 if ((events & (1 << IPCT_SECMARK) || ct->secmark) 587 - && ctnetlink_dump_secmark(skb, ct) < 0) 558 + && ctnetlink_dump_secctx(skb, ct) < 0) 588 559 goto nla_put_failure; 589 - #endif 590 560 591 561 if (events & (1 << IPCT_RELATED) && 592 562 ctnetlink_dump_master(skb, ct) < 0)