1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Module for modifying the secmark field of the skb, for use by 4 * security subsystems. 5 * 6 * Based on the nfmark match by: 7 * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> 8 * 9 * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 10 */ 11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 12 #include <linux/module.h> 13 #include <linux/security.h> 14 #include <linux/skbuff.h> 15 #include <linux/netfilter/x_tables.h> 16 #include <linux/netfilter/xt_SECMARK.h> 17 18 MODULE_LICENSE("GPL"); 19 MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); 20 MODULE_DESCRIPTION("Xtables: packet security mark modification"); 21 MODULE_ALIAS("ipt_SECMARK"); 22 MODULE_ALIAS("ip6t_SECMARK"); 23 24 static u8 mode; 25 26 static unsigned int 27 secmark_tg(struct sk_buff *skb, const struct xt_action_param *par) 28 { 29 u32 secmark = 0; 30 const struct xt_secmark_target_info *info = par->targinfo; 31 32 switch (mode) { 33 case SECMARK_MODE_SEL: 34 secmark = info->secid; 35 break; 36 default: 37 BUG(); 38 } 39 40 skb->secmark = secmark; 41 return XT_CONTINUE; 42 } 43 44 static int checkentry_lsm(struct xt_secmark_target_info *info) 45 { 46 int err; 47 48 info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; 49 info->secid = 0; 50 51 err = security_secctx_to_secid(info->secctx, strlen(info->secctx), 52 &info->secid); 53 if (err) { 54 if (err == -EINVAL) 55 pr_info_ratelimited("invalid security context \'%s\'\n", 56 info->secctx); 57 return err; 58 } 59 60 if (!info->secid) { 61 pr_info_ratelimited("unable to map security context \'%s\'\n", 62 info->secctx); 63 return -ENOENT; 64 } 65 66 err = security_secmark_relabel_packet(info->secid); 67 if (err) { 68 pr_info_ratelimited("unable to obtain relabeling permission\n"); 69 return err; 70 } 71 72 security_secmark_refcount_inc(); 73 return 0; 74 } 75 76 static int secmark_tg_check(const struct xt_tgchk_param *par) 77 { 78 struct xt_secmark_target_info *info = par->targinfo; 79 int err; 80 81 if (strcmp(par->table, "mangle") != 0 && 82 strcmp(par->table, "security") != 0) { 83 pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n", 84 par->table); 85 return -EINVAL; 86 } 87 88 if (mode && mode != info->mode) { 89 pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n", 90 mode, info->mode); 91 return -EINVAL; 92 } 93 94 switch (info->mode) { 95 case SECMARK_MODE_SEL: 96 break; 97 default: 98 pr_info_ratelimited("invalid mode: %hu\n", info->mode); 99 return -EINVAL; 100 } 101 102 err = checkentry_lsm(info); 103 if (err) 104 return err; 105 106 if (!mode) 107 mode = info->mode; 108 return 0; 109 } 110 111 static void secmark_tg_destroy(const struct xt_tgdtor_param *par) 112 { 113 switch (mode) { 114 case SECMARK_MODE_SEL: 115 security_secmark_refcount_dec(); 116 } 117 } 118 119 static struct xt_target secmark_tg_reg __read_mostly = { 120 .name = "SECMARK", 121 .revision = 0, 122 .family = NFPROTO_UNSPEC, 123 .checkentry = secmark_tg_check, 124 .destroy = secmark_tg_destroy, 125 .target = secmark_tg, 126 .targetsize = sizeof(struct xt_secmark_target_info), 127 .me = THIS_MODULE, 128 }; 129 130 static int __init secmark_tg_init(void) 131 { 132 return xt_register_target(&secmark_tg_reg); 133 } 134 135 static void __exit secmark_tg_exit(void) 136 { 137 xt_unregister_target(&secmark_tg_reg); 138 } 139 140 module_init(secmark_tg_init); 141 module_exit(secmark_tg_exit); 142