1 /* 2 * Module for modifying the secmark field of the skb, for use by 3 * security subsystems. 4 * 5 * Based on the nfmark match by: 6 * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> 7 * 8 * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 as 12 * published by the Free Software Foundation. 13 * 14 */ 15 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 16 #include <linux/module.h> 17 #include <linux/skbuff.h> 18 #include <linux/selinux.h> 19 #include <linux/netfilter/x_tables.h> 20 #include <linux/netfilter/xt_SECMARK.h> 21 22 MODULE_LICENSE("GPL"); 23 MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); 24 MODULE_DESCRIPTION("Xtables: packet security mark modification"); 25 MODULE_ALIAS("ipt_SECMARK"); 26 MODULE_ALIAS("ip6t_SECMARK"); 27 28 #define PFX "SECMARK: " 29 30 static u8 mode; 31 32 static unsigned int 33 secmark_tg(struct sk_buff *skb, const struct xt_target_param *par) 34 { 35 u32 secmark = 0; 36 const struct xt_secmark_target_info *info = par->targinfo; 37 38 BUG_ON(info->mode != mode); 39 40 switch (mode) { 41 case SECMARK_MODE_SEL: 42 secmark = info->u.sel.selsid; 43 break; 44 45 default: 46 BUG(); 47 } 48 49 skb->secmark = secmark; 50 return XT_CONTINUE; 51 } 52 53 static bool checkentry_selinux(struct xt_secmark_target_info *info) 54 { 55 int err; 56 struct xt_secmark_target_selinux_info *sel = &info->u.sel; 57 58 sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0'; 59 60 err = selinux_string_to_sid(sel->selctx, &sel->selsid); 61 if (err) { 62 if (err == -EINVAL) 63 pr_info("invalid SELinux context \'%s\'\n", 64 sel->selctx); 65 return false; 66 } 67 68 if (!sel->selsid) { 69 pr_info("unable to map SELinux context \'%s\'\n", sel->selctx); 70 return false; 71 } 72 73 err = selinux_secmark_relabel_packet_permission(sel->selsid); 74 if (err) { 75 pr_info("unable to obtain relabeling permission\n"); 76 return false; 77 } 78 79 selinux_secmark_refcount_inc(); 80 return true; 81 } 82 83 static bool secmark_tg_check(const struct xt_tgchk_param *par) 84 { 85 struct xt_secmark_target_info *info = par->targinfo; 86 87 if (strcmp(par->table, "mangle") != 0 && 88 strcmp(par->table, "security") != 0) { 89 pr_info("target only valid in the \'mangle\' " 90 "or \'security\' tables, not \'%s\'.\n", par->table); 91 return false; 92 } 93 94 if (mode && mode != info->mode) { 95 pr_info("mode already set to %hu cannot mix with " 96 "rules for mode %hu\n", mode, info->mode); 97 return false; 98 } 99 100 switch (info->mode) { 101 case SECMARK_MODE_SEL: 102 if (!checkentry_selinux(info)) 103 return false; 104 break; 105 106 default: 107 pr_info("invalid mode: %hu\n", info->mode); 108 return false; 109 } 110 111 if (!mode) 112 mode = info->mode; 113 return true; 114 } 115 116 static void secmark_tg_destroy(const struct xt_tgdtor_param *par) 117 { 118 switch (mode) { 119 case SECMARK_MODE_SEL: 120 selinux_secmark_refcount_dec(); 121 } 122 } 123 124 static struct xt_target secmark_tg_reg __read_mostly = { 125 .name = "SECMARK", 126 .revision = 0, 127 .family = NFPROTO_UNSPEC, 128 .checkentry = secmark_tg_check, 129 .destroy = secmark_tg_destroy, 130 .target = secmark_tg, 131 .targetsize = sizeof(struct xt_secmark_target_info), 132 .me = THIS_MODULE, 133 }; 134 135 static int __init secmark_tg_init(void) 136 { 137 return xt_register_target(&secmark_tg_reg); 138 } 139 140 static void __exit secmark_tg_exit(void) 141 { 142 xt_unregister_target(&secmark_tg_reg); 143 } 144 145 module_init(secmark_tg_init); 146 module_exit(secmark_tg_exit); 147