1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Module for modifying the secmark field of the skb, for use by |
4 | * security subsystems. |
5 | * |
6 | * Based on the nfmark match by: |
7 | * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> |
8 | * |
9 | * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com> |
10 | */ |
11 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
12 | #include <linux/module.h> |
13 | #include <linux/security.h> |
14 | #include <linux/skbuff.h> |
15 | #include <linux/netfilter/x_tables.h> |
16 | #include <linux/netfilter/xt_SECMARK.h> |
17 | |
18 | MODULE_LICENSE("GPL" ); |
19 | MODULE_AUTHOR("James Morris <jmorris@redhat.com>" ); |
20 | MODULE_DESCRIPTION("Xtables: packet security mark modification" ); |
21 | MODULE_ALIAS("ipt_SECMARK" ); |
22 | MODULE_ALIAS("ip6t_SECMARK" ); |
23 | |
24 | static u8 mode; |
25 | |
26 | static unsigned int |
27 | secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info) |
28 | { |
29 | u32 secmark = 0; |
30 | |
31 | switch (mode) { |
32 | case SECMARK_MODE_SEL: |
33 | secmark = info->secid; |
34 | break; |
35 | default: |
36 | BUG(); |
37 | } |
38 | |
39 | skb->secmark = secmark; |
40 | return XT_CONTINUE; |
41 | } |
42 | |
43 | static int checkentry_lsm(struct xt_secmark_target_info_v1 *info) |
44 | { |
45 | int err; |
46 | |
47 | info->secctx[SECMARK_SECCTX_MAX - 1] = '\0'; |
48 | info->secid = 0; |
49 | |
50 | err = security_secctx_to_secid(secdata: info->secctx, strlen(info->secctx), |
51 | secid: &info->secid); |
52 | if (err) { |
53 | if (err == -EINVAL) |
54 | pr_info_ratelimited("invalid security context \'%s\'\n" , |
55 | info->secctx); |
56 | return err; |
57 | } |
58 | |
59 | if (!info->secid) { |
60 | pr_info_ratelimited("unable to map security context \'%s\'\n" , |
61 | info->secctx); |
62 | return -ENOENT; |
63 | } |
64 | |
65 | err = security_secmark_relabel_packet(secid: info->secid); |
66 | if (err) { |
67 | pr_info_ratelimited("unable to obtain relabeling permission\n" ); |
68 | return err; |
69 | } |
70 | |
71 | security_secmark_refcount_inc(); |
72 | return 0; |
73 | } |
74 | |
75 | static int |
76 | secmark_tg_check(const char *table, struct xt_secmark_target_info_v1 *info) |
77 | { |
78 | int err; |
79 | |
80 | if (strcmp(table, "mangle" ) != 0 && |
81 | strcmp(table, "security" ) != 0) { |
82 | pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n" , |
83 | table); |
84 | return -EINVAL; |
85 | } |
86 | |
87 | if (mode && mode != info->mode) { |
88 | pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n" , |
89 | mode, info->mode); |
90 | return -EINVAL; |
91 | } |
92 | |
93 | switch (info->mode) { |
94 | case SECMARK_MODE_SEL: |
95 | break; |
96 | default: |
97 | pr_info_ratelimited("invalid mode: %hu\n" , info->mode); |
98 | return -EINVAL; |
99 | } |
100 | |
101 | err = checkentry_lsm(info); |
102 | if (err) |
103 | return err; |
104 | |
105 | if (!mode) |
106 | mode = info->mode; |
107 | return 0; |
108 | } |
109 | |
110 | static void secmark_tg_destroy(const struct xt_tgdtor_param *par) |
111 | { |
112 | switch (mode) { |
113 | case SECMARK_MODE_SEL: |
114 | security_secmark_refcount_dec(); |
115 | } |
116 | } |
117 | |
118 | static int secmark_tg_check_v0(const struct xt_tgchk_param *par) |
119 | { |
120 | struct xt_secmark_target_info *info = par->targinfo; |
121 | struct xt_secmark_target_info_v1 newinfo = { |
122 | .mode = info->mode, |
123 | }; |
124 | int ret; |
125 | |
126 | memcpy(newinfo.secctx, info->secctx, SECMARK_SECCTX_MAX); |
127 | |
128 | ret = secmark_tg_check(table: par->table, info: &newinfo); |
129 | info->secid = newinfo.secid; |
130 | |
131 | return ret; |
132 | } |
133 | |
134 | static unsigned int |
135 | secmark_tg_v0(struct sk_buff *skb, const struct xt_action_param *par) |
136 | { |
137 | const struct xt_secmark_target_info *info = par->targinfo; |
138 | struct xt_secmark_target_info_v1 newinfo = { |
139 | .secid = info->secid, |
140 | }; |
141 | |
142 | return secmark_tg(skb, info: &newinfo); |
143 | } |
144 | |
145 | static int secmark_tg_check_v1(const struct xt_tgchk_param *par) |
146 | { |
147 | return secmark_tg_check(table: par->table, info: par->targinfo); |
148 | } |
149 | |
150 | static unsigned int |
151 | secmark_tg_v1(struct sk_buff *skb, const struct xt_action_param *par) |
152 | { |
153 | return secmark_tg(skb, info: par->targinfo); |
154 | } |
155 | |
156 | static struct xt_target secmark_tg_reg[] __read_mostly = { |
157 | { |
158 | .name = "SECMARK" , |
159 | .revision = 0, |
160 | .family = NFPROTO_UNSPEC, |
161 | .checkentry = secmark_tg_check_v0, |
162 | .destroy = secmark_tg_destroy, |
163 | .target = secmark_tg_v0, |
164 | .targetsize = sizeof(struct xt_secmark_target_info), |
165 | .me = THIS_MODULE, |
166 | }, |
167 | { |
168 | .name = "SECMARK" , |
169 | .revision = 1, |
170 | .family = NFPROTO_UNSPEC, |
171 | .checkentry = secmark_tg_check_v1, |
172 | .destroy = secmark_tg_destroy, |
173 | .target = secmark_tg_v1, |
174 | .targetsize = sizeof(struct xt_secmark_target_info_v1), |
175 | .usersize = offsetof(struct xt_secmark_target_info_v1, secid), |
176 | .me = THIS_MODULE, |
177 | }, |
178 | }; |
179 | |
180 | static int __init secmark_tg_init(void) |
181 | { |
182 | return xt_register_targets(target: secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); |
183 | } |
184 | |
185 | static void __exit secmark_tg_exit(void) |
186 | { |
187 | xt_unregister_targets(target: secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); |
188 | } |
189 | |
190 | module_init(secmark_tg_init); |
191 | module_exit(secmark_tg_exit); |
192 | |