Merge tag 'io_uring-5.11-2021-01-16' of git://git.kernel.dk/linux-block
[linux/fpc-iii.git] / net / netfilter / xt_SECMARK.c
blob75625d13e976c70dd8fac8d4609700a50022dd18
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Module for modifying the secmark field of the skb, for use by
4 * security subsystems.
6 * Based on the nfmark match by:
7 * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
9 * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
11 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12 #include <linux/module.h>
13 #include <linux/security.h>
14 #include <linux/skbuff.h>
15 #include <linux/netfilter/x_tables.h>
16 #include <linux/netfilter/xt_SECMARK.h>
18 MODULE_LICENSE("GPL");
19 MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
20 MODULE_DESCRIPTION("Xtables: packet security mark modification");
21 MODULE_ALIAS("ipt_SECMARK");
22 MODULE_ALIAS("ip6t_SECMARK");
24 static u8 mode;
26 static unsigned int
27 secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
29 u32 secmark = 0;
30 const struct xt_secmark_target_info *info = par->targinfo;
32 switch (mode) {
33 case SECMARK_MODE_SEL:
34 secmark = info->secid;
35 break;
36 default:
37 BUG();
40 skb->secmark = secmark;
41 return XT_CONTINUE;
44 static int checkentry_lsm(struct xt_secmark_target_info *info)
46 int err;
48 info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
49 info->secid = 0;
51 err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
52 &info->secid);
53 if (err) {
54 if (err == -EINVAL)
55 pr_info_ratelimited("invalid security context \'%s\'\n",
56 info->secctx);
57 return err;
60 if (!info->secid) {
61 pr_info_ratelimited("unable to map security context \'%s\'\n",
62 info->secctx);
63 return -ENOENT;
66 err = security_secmark_relabel_packet(info->secid);
67 if (err) {
68 pr_info_ratelimited("unable to obtain relabeling permission\n");
69 return err;
72 security_secmark_refcount_inc();
73 return 0;
76 static int secmark_tg_check(const struct xt_tgchk_param *par)
78 struct xt_secmark_target_info *info = par->targinfo;
79 int err;
81 if (strcmp(par->table, "mangle") != 0 &&
82 strcmp(par->table, "security") != 0) {
83 pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
84 par->table);
85 return -EINVAL;
88 if (mode && mode != info->mode) {
89 pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n",
90 mode, info->mode);
91 return -EINVAL;
94 switch (info->mode) {
95 case SECMARK_MODE_SEL:
96 break;
97 default:
98 pr_info_ratelimited("invalid mode: %hu\n", info->mode);
99 return -EINVAL;
102 err = checkentry_lsm(info);
103 if (err)
104 return err;
106 if (!mode)
107 mode = info->mode;
108 return 0;
111 static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
113 switch (mode) {
114 case SECMARK_MODE_SEL:
115 security_secmark_refcount_dec();
119 static struct xt_target secmark_tg_reg __read_mostly = {
120 .name = "SECMARK",
121 .revision = 0,
122 .family = NFPROTO_UNSPEC,
123 .checkentry = secmark_tg_check,
124 .destroy = secmark_tg_destroy,
125 .target = secmark_tg,
126 .targetsize = sizeof(struct xt_secmark_target_info),
127 .me = THIS_MODULE,
130 static int __init secmark_tg_init(void)
132 return xt_register_target(&secmark_tg_reg);
135 static void __exit secmark_tg_exit(void)
137 xt_unregister_target(&secmark_tg_reg);
140 module_init(secmark_tg_init);
141 module_exit(secmark_tg_exit);