net/netfilter/xt_SECMARK.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Module for modifying the secmark field of the skb, for use by
   4  * security subsystems.
   5  *
   6  * Based on the nfmark match by:
   7  * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
   8  *
   9  * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  10  */
  11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  12 #include <linux/module.h>
  13 #include <linux/security.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/netfilter/x_tables.h>
  16 #include <linux/netfilter/xt_SECMARK.h>
  17
  18 MODULE_LICENSE("GPL");
  19 MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
  20 MODULE_DESCRIPTION("Xtables: packet security mark modification");
  21 MODULE_ALIAS("ipt_SECMARK");
  22 MODULE_ALIAS("ip6t_SECMARK");
  23
  24 static u8 mode;
  25
  26 static unsigned int
  27 secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
  28 {
  29         u32 secmark = 0;
  30         const struct xt_secmark_target_info *info = par->targinfo;
  31
  32         switch (mode) {
  33         case SECMARK_MODE_SEL:
  34                 secmark = info->secid;
  35                 break;
  36         default:
  37                 BUG();
  38         }
  39
  40         skb->secmark = secmark;
  41         return XT_CONTINUE;
  42 }
  43
  44 static int checkentry_lsm(struct xt_secmark_target_info *info)
  45 {
  46         int err;
  47
  48         info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
  49         info->secid = 0;
  50
  51         err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
  52                                        &info->secid);
  53         if (err) {
  54                 if (err == -EINVAL)
  55                         pr_info_ratelimited("invalid security context \'%s\'\n",
  56                                             info->secctx);
  57                 return err;
  58         }
  59
  60         if (!info->secid) {
  61                 pr_info_ratelimited("unable to map security context \'%s\'\n",
  62                                     info->secctx);
  63                 return -ENOENT;
  64         }
  65
  66         err = security_secmark_relabel_packet(info->secid);
  67         if (err) {
  68                 pr_info_ratelimited("unable to obtain relabeling permission\n");
  69                 return err;
  70         }
  71
  72         security_secmark_refcount_inc();
  73         return 0;
  74 }
  75
  76 static int secmark_tg_check(const struct xt_tgchk_param *par)
  77 {
  78         struct xt_secmark_target_info *info = par->targinfo;
  79         int err;
  80
  81         if (strcmp(par->table, "mangle") != 0 &&
  82             strcmp(par->table, "security") != 0) {
  83                 pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
  84                                     par->table);
  85                 return -EINVAL;
  86         }
  87
  88         if (mode && mode != info->mode) {
  89                 pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n",
  90                                     mode, info->mode);
  91                 return -EINVAL;
  92         }
  93
  94         switch (info->mode) {
  95         case SECMARK_MODE_SEL:
  96                 break;
  97         default:
  98                 pr_info_ratelimited("invalid mode: %hu\n", info->mode);
  99                 return -EINVAL;
 100         }
 101
 102         err = checkentry_lsm(info);
 103         if (err)
 104                 return err;
 105
 106         if (!mode)
 107                 mode = info->mode;
 108         return 0;
 109 }
 110
 111 static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
 112 {
 113         switch (mode) {
 114         case SECMARK_MODE_SEL:
 115                 security_secmark_refcount_dec();
 116         }
 117 }
 118
 119 static struct xt_target secmark_tg_reg __read_mostly = {
 120         .name       = "SECMARK",
 121         .revision   = 0,
 122         .family     = NFPROTO_UNSPEC,
 123         .checkentry = secmark_tg_check,
 124         .destroy    = secmark_tg_destroy,
 125         .target     = secmark_tg,
 126         .targetsize = sizeof(struct xt_secmark_target_info),
 127         .me         = THIS_MODULE,
 128 };
 129
 130 static int __init secmark_tg_init(void)
 131 {
 132         return xt_register_target(&secmark_tg_reg);
 133 }
 134
 135 static void __exit secmark_tg_exit(void)
 136 {
 137         xt_unregister_target(&secmark_tg_reg);
 138 }
 139
 140 module_init(secmark_tg_init);
 141 module_exit(secmark_tg_exit);