net/netfilter/xt_SECMARK.c

   1 /*
   2  * Module for modifying the secmark field of the skb, for use by
   3  * security subsystems.
   4  *
   5  * Based on the nfmark match by:
   6  * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
   7  *
   8  * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
   9  *
  10  * This program is free software; you can redistribute it and/or modify
  11  * it under the terms of the GNU General Public License version 2 as
  12  * published by the Free Software Foundation.
  13  *
  14  */
  15 #include <linux/module.h>
  16 #include <linux/skbuff.h>
  17 #include <linux/selinux.h>
  18 #include <linux/netfilter/x_tables.h>
  19 #include <linux/netfilter/xt_SECMARK.h>
  20
  21 MODULE_LICENSE("GPL");
  22 MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
  23 MODULE_DESCRIPTION("Xtables: packet security mark modification");
  24 MODULE_ALIAS("ipt_SECMARK");
  25 MODULE_ALIAS("ip6t_SECMARK");
  26
  27 #define PFX "SECMARK: "
  28
  29 static u8 mode;
  30
  31 static unsigned int
  32 secmark_tg(struct sk_buff *skb, const struct net_device *in,
  33            const struct net_device *out, unsigned int hooknum,
  34            const struct xt_target *target, const void *targinfo)
  35 {
  36         u32 secmark = 0;
  37         const struct xt_secmark_target_info *info = targinfo;
  38
  39         BUG_ON(info->mode != mode);
  40
  41         switch (mode) {
  42         case SECMARK_MODE_SEL:
  43                 secmark = info->u.sel.selsid;
  44                 break;
  45
  46         default:
  47                 BUG();
  48         }
  49
  50         skb->secmark = secmark;
  51         return XT_CONTINUE;
  52 }
  53
  54 static bool checkentry_selinux(struct xt_secmark_target_info *info)
  55 {
  56         int err;
  57         struct xt_secmark_target_selinux_info *sel = &info->u.sel;
  58
  59         sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
  60
  61         err = selinux_string_to_sid(sel->selctx, &sel->selsid);
  62         if (err) {
  63                 if (err == -EINVAL)
  64                         printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n",
  65                                sel->selctx);
  66                 return false;
  67         }
  68
  69         if (!sel->selsid) {
  70                 printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n",
  71                        sel->selctx);
  72                 return false;
  73         }
  74
  75         err = selinux_secmark_relabel_packet_permission(sel->selsid);
  76         if (err) {
  77                 printk(KERN_INFO PFX "unable to obtain relabeling permission\n");
  78                 return false;
  79         }
  80
  81         selinux_secmark_refcount_inc();
  82         return true;
  83 }
  84
  85 static bool
  86 secmark_tg_check(const char *tablename, const void *entry,
  87                  const struct xt_target *target, void *targinfo,
  88                  unsigned int hook_mask)
  89 {
  90         struct xt_secmark_target_info *info = targinfo;
  91
  92         if (mode && mode != info->mode) {
  93                 printk(KERN_INFO PFX "mode already set to %hu cannot mix with "
  94                        "rules for mode %hu\n", mode, info->mode);
  95                 return false;
  96         }
  97
  98         switch (info->mode) {
  99         case SECMARK_MODE_SEL:
 100                 if (!checkentry_selinux(info))
 101                         return false;
 102                 break;
 103
 104         default:
 105                 printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
 106                 return false;
 107         }
 108
 109         if (!mode)
 110                 mode = info->mode;
 111         return true;
 112 }
 113
 114 static void secmark_tg_destroy(const struct xt_target *target, void *targinfo)
 115 {
 116         switch (mode) {
 117         case SECMARK_MODE_SEL:
 118                 selinux_secmark_refcount_dec();
 119         }
 120 }
 121
 122 static struct xt_target secmark_tg_reg[] __read_mostly = {
 123         {
 124                 .name           = "SECMARK",
 125                 .family         = AF_INET,
 126                 .checkentry     = secmark_tg_check,
 127                 .destroy        = secmark_tg_destroy,
 128                 .target         = secmark_tg,
 129                 .targetsize     = sizeof(struct xt_secmark_target_info),
 130                 .table          = "mangle",
 131                 .me             = THIS_MODULE,
 132         },
 133         {
 134                 .name           = "SECMARK",
 135                 .family         = AF_INET6,
 136                 .checkentry     = secmark_tg_check,
 137                 .destroy        = secmark_tg_destroy,
 138                 .target         = secmark_tg,
 139                 .targetsize     = sizeof(struct xt_secmark_target_info),
 140                 .table          = "mangle",
 141                 .me             = THIS_MODULE,
 142         },
 143 };
 144
 145 static int __init secmark_tg_init(void)
 146 {
 147         return xt_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
 148 }
 149
 150 static void __exit secmark_tg_exit(void)
 151 {
 152         xt_unregister_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
 153 }
 154
 155 module_init(secmark_tg_init);
 156 module_exit(secmark_tg_exit);