Skip to content

Commit

Permalink
---
Browse files Browse the repository at this point in the history
yaml
---
r: 102701
b: refs/heads/master
c: 560ee65
h: refs/heads/master
i:
  102699: 49622af
v: v3
  • Loading branch information
James Morris authored and David S. Miller committed Jun 9, 2008
1 parent 37d556a commit b284cc7
Show file tree
Hide file tree
Showing 8 changed files with 210 additions and 7 deletions.
2 changes: 1 addition & 1 deletion [refs]
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
refs/heads/master: a258860e01b80e8f554a4ab1a6c95e6042eb8b73
refs/heads/master: 560ee653b67074b805f1b661988a72a0e58811a5
1 change: 1 addition & 0 deletions trunk/include/linux/netfilter_ipv4.h
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ enum nf_ip_hook_priorities {
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
NF_IP_PRI_FILTER = 0,
NF_IP_PRI_SECURITY = 50,
NF_IP_PRI_NAT_SRC = 100,
NF_IP_PRI_SELINUX_LAST = 225,
NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
Expand Down
1 change: 1 addition & 0 deletions trunk/include/net/netns/ipv4.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ struct netns_ipv4 {
struct xt_table *iptable_mangle;
struct xt_table *iptable_raw;
struct xt_table *arptable_filter;
struct xt_table *iptable_security;
#endif

int sysctl_icmp_echo_ignore_all;
Expand Down
12 changes: 12 additions & 0 deletions trunk/net/ipv4/netfilter/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -365,6 +365,18 @@ config IP_NF_RAW
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.

# security table for MAC policy
config IP_NF_SECURITY
tristate "Security table"
depends on IP_NF_IPTABLES
depends on SECURITY
default m if NETFILTER_ADVANCED=n
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.

If unsure, say N.

# ARP tables
config IP_NF_ARPTABLES
tristate "ARP tables support"
Expand Down
1 change: 1 addition & 0 deletions trunk/net/ipv4/netfilter/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
obj-$(CONFIG_NF_NAT) += iptable_nat.o
obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o

# matches
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
Expand Down
180 changes: 180 additions & 0 deletions trunk/net/ipv4/netfilter/iptable_security.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,180 @@
/*
* "security" table
*
* This is for use by Mandatory Access Control (MAC) security models,
* which need to be able to manage security policy in separate context
* to DAC.
*
* Based on iptable_mangle.c
*
* Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
* Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org>
* Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <net/ip.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
MODULE_DESCRIPTION("iptables security table, for MAC rules");

#define SECURITY_VALID_HOOKS (1 << NF_INET_LOCAL_IN) | \
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)

static struct
{
struct ipt_replace repl;
struct ipt_standard entries[3];
struct ipt_error term;
} initial_table __initdata = {
.repl = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.num_entries = 4,
.size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
.hook_entry = {
[NF_INET_LOCAL_IN] = 0,
[NF_INET_FORWARD] = sizeof(struct ipt_standard),
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
},
.underflow = {
[NF_INET_LOCAL_IN] = 0,
[NF_INET_FORWARD] = sizeof(struct ipt_standard),
[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
},
},
.entries = {
IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
},
.term = IPT_ERROR_INIT, /* ERROR */
};

static struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.lock = __RW_LOCK_UNLOCKED(security_table.lock),
.me = THIS_MODULE,
.af = AF_INET,
};

static unsigned int
ipt_local_in_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
return ipt_do_table(skb, hook, in, out,
nf_local_in_net(in, out)->ipv4.iptable_security);
}

static unsigned int
ipt_forward_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
return ipt_do_table(skb, hook, in, out,
nf_forward_net(in, out)->ipv4.iptable_security);
}

static unsigned int
ipt_local_out_hook(unsigned int hook,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
/* Somebody is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr)
|| ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (net_ratelimit())
printk(KERN_INFO "iptable_security: ignoring short "
"SOCK_RAW packet.\n");
return NF_ACCEPT;
}
return ipt_do_table(skb, hook, in, out,
nf_local_out_net(in, out)->ipv4.iptable_security);
}

static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
.hook = ipt_local_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_SECURITY,
},
{
.hook = ipt_forward_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_SECURITY,
},
{
.hook = ipt_local_out_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_SECURITY,
},
};

static int __net_init iptable_security_net_init(struct net *net)
{
net->ipv4.iptable_security =
ipt_register_table(net, &security_table, &initial_table.repl);

if (IS_ERR(net->ipv4.iptable_security))
return PTR_ERR(net->ipv4.iptable_security);

return 0;
}

static void __net_exit iptable_security_net_exit(struct net *net)
{
ipt_unregister_table(net->ipv4.iptable_security);
}

static struct pernet_operations iptable_security_net_ops = {
.init = iptable_security_net_init,
.exit = iptable_security_net_exit,
};

static int __init iptable_security_init(void)
{
int ret;

ret = register_pernet_subsys(&iptable_security_net_ops);
if (ret < 0)
return ret;

ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
if (ret < 0)
goto cleanup_table;

return ret;

cleanup_table:
unregister_pernet_subsys(&iptable_security_net_ops);
return ret;
}

static void __exit iptable_security_fini(void)
{
nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
unregister_pernet_subsys(&iptable_security_net_ops);
}

module_init(iptable_security_init);
module_exit(iptable_security_fini);
10 changes: 7 additions & 3 deletions trunk/net/netfilter/xt_CONNSECMARK.c
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
* (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
Expand Down Expand Up @@ -94,6 +94,12 @@ connsecmark_tg_check(const char *tablename, const void *entry,
{
const struct xt_connsecmark_target_info *info = targinfo;

if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) {
printk(KERN_INFO PFX "target only valid in the \'mangle\' "
"or \'security\' tables, not \'%s\'.\n", tablename);
return false;
}

switch (info->mode) {
case CONNSECMARK_SAVE:
case CONNSECMARK_RESTORE:
Expand Down Expand Up @@ -126,7 +132,6 @@ static struct xt_target connsecmark_tg_reg[] __read_mostly = {
.destroy = connsecmark_tg_destroy,
.target = connsecmark_tg,
.targetsize = sizeof(struct xt_connsecmark_target_info),
.table = "mangle",
.me = THIS_MODULE,
},
{
Expand All @@ -136,7 +141,6 @@ static struct xt_target connsecmark_tg_reg[] __read_mostly = {
.destroy = connsecmark_tg_destroy,
.target = connsecmark_tg,
.targetsize = sizeof(struct xt_connsecmark_target_info),
.table = "mangle",
.me = THIS_MODULE,
},
};
Expand Down
10 changes: 7 additions & 3 deletions trunk/net/netfilter/xt_SECMARK.c
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
* Based on the nfmark match by:
* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
*
* (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
* (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
Expand Down Expand Up @@ -89,6 +89,12 @@ secmark_tg_check(const char *tablename, const void *entry,
{
struct xt_secmark_target_info *info = targinfo;

if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) {
printk(KERN_INFO PFX "target only valid in the \'mangle\' "
"or \'security\' tables, not \'%s\'.\n", tablename);
return false;
}

if (mode && mode != info->mode) {
printk(KERN_INFO PFX "mode already set to %hu cannot mix with "
"rules for mode %hu\n", mode, info->mode);
Expand Down Expand Up @@ -127,7 +133,6 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
.destroy = secmark_tg_destroy,
.target = secmark_tg,
.targetsize = sizeof(struct xt_secmark_target_info),
.table = "mangle",
.me = THIS_MODULE,
},
{
Expand All @@ -137,7 +142,6 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
.destroy = secmark_tg_destroy,
.target = secmark_tg,
.targetsize = sizeof(struct xt_secmark_target_info),
.table = "mangle",
.me = THIS_MODULE,
},
};
Expand Down

0 comments on commit b284cc7

Please sign in to comment.