[PATCH 4/7] secid reconciliation-v02: Invoke LSM hook for outbound traffic

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Venkat Yekkirala <vyekkirala@TrustedCS.com>
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: jmorris@namei.org, sds@tycho.nsa.gov, chanson@TrustedCS.com
Subject: [PATCH 4/7] secid reconciliation-v02: Invoke LSM hook for outbound traffic
Date: Fri, 08 Sep 2006 11:50:46 -0500	[thread overview]
Message-ID: <45019F66.20603@trustedcs.com> (raw)

Invoke the skb_netfilter_check LSM hook for outbound (OUTPUT/FORWARD)
traffic for secid reconciliation and flow control.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
 net/netfilter/xt_CONNSECMARK.c |   44 ++++++++++++++++++++++---------
 net/netfilter/xt_SECMARK.c     |   20 ++++++++++++--
 2 files changed, 50 insertions(+), 14 deletions(-)

diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 4673862..a79bd20 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -17,6 +17,8 @@
  */
 #include <linux/module.h>
 #include <linux/skbuff.h>
+#include <linux/security.h>
+#include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CONNSECMARK.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -47,20 +49,32 @@ static void secmark_save(struct sk_buff 
 }
 
 /*
- * If packet has no security mark, and the connection does, restore the
- * security mark from the connection to the packet.
+ * On the inbound, restore the security mark from the connection to the packet.
+ * On the outbound, filter based on the current secmark.
  */
-static void secmark_restore(struct sk_buff *skb)
+static unsigned int secmark_restore(struct sk_buff *skb, unsigned int hooknum,
+			   const struct xt_target *target)
 {
-	if (!skb->secmark) {
-		u32 *connsecmark;
-		enum ip_conntrack_info ctinfo;
+	u32 *psecmark;
+	u32 secmark = 0;
+	enum ip_conntrack_info ctinfo;
 
-		connsecmark = nf_ct_get_secmark(skb, &ctinfo);
-		if (connsecmark && *connsecmark)
-			if (skb->secmark != *connsecmark)
-				skb->secmark = *connsecmark;
-	}
+	psecmark = nf_ct_get_secmark(skb, &ctinfo);
+	if (psecmark)
+		secmark = *psecmark;
+
+	if (!secmark)
+		return XT_CONTINUE;
+
+	/* Set secmark on inbound and filter it on outbound */
+	if (hooknum == NF_IP_POST_ROUTING || hooknum == NF_IP6_POST_ROUTING) {
+		if (!security_skb_netfilter_check(skb, secmark))
+			return NF_DROP;
+	} else
+		if (skb->secmark != secmark)
+			skb->secmark = secmark;
+
+	return XT_CONTINUE;
 }
 
 static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
@@ -77,7 +91,7 @@ static unsigned int target(struct sk_buf
 		break;
 
 	case CONNSECMARK_RESTORE:
-		secmark_restore(skb);
+		return secmark_restore(skb, hooknum, target);
 		break;
 
 	default:
@@ -114,6 +128,9 @@ static struct xt_target xt_connsecmark_t
 		.target		= target,
 		.targetsize	= sizeof(struct xt_connsecmark_target_info),
 		.table		= "mangle",
+		.hooks		= (1 << NF_IP_LOCAL_IN) |
+				  (1 << NF_IP_FORWARD) |
+				  (1 << NF_IP_POST_ROUTING),
 		.me		= THIS_MODULE,
 	},
 	{
@@ -123,6 +140,9 @@ static struct xt_target xt_connsecmark_t
 		.target		= target,
 		.targetsize	= sizeof(struct xt_connsecmark_target_info),
 		.table		= "mangle",
+		.hooks		= (1 << NF_IP6_LOCAL_IN) |
+				  (1 << NF_IP6_FORWARD) |
+				  (1 << NF_IP6_POST_ROUTING),
 		.me		= THIS_MODULE,
 	},
 };
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index add7521..de1de45 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -15,8 +15,10 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/selinux.h>
+#include <linux/security.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_SECMARK.h>
+#include <linux/netfilter_ipv6.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
@@ -47,8 +49,16 @@ static unsigned int target(struct sk_buf
 		BUG();
 	}
 
-	if ((*pskb)->secmark != secmark)
-		(*pskb)->secmark = secmark;
+	if (!secmark)
+		return XT_CONTINUE;
+
+	/* Set secmark on inbound and filter it on outbound */
+	if (hooknum == NF_IP_POST_ROUTING || hooknum == NF_IP6_POST_ROUTING) {
+		if (!security_skb_netfilter_check(*pskb, secmark))
+			return NF_DROP;
+	} else
+		if ((*pskb)->secmark != secmark)
+			(*pskb)->secmark = secmark;
 
 	return XT_CONTINUE;
 }
@@ -119,6 +129,9 @@ static struct xt_target xt_secmark_targe
 		.target		= target,
 		.targetsize	= sizeof(struct xt_secmark_target_info),
 		.table		= "mangle",
+		.hooks		= (1 << NF_IP_LOCAL_IN) |
+				  (1 << NF_IP_FORWARD) |
+				  (1 << NF_IP_POST_ROUTING),
 		.me		= THIS_MODULE,
 	},
 	{
@@ -128,6 +141,9 @@ static struct xt_target xt_secmark_targe
 		.target		= target,
 		.targetsize	= sizeof(struct xt_secmark_target_info),
 		.table		= "mangle",
+		.hooks		= (1 << NF_IP6_LOCAL_IN) |
+				  (1 << NF_IP6_FORWARD) |
+				  (1 << NF_IP6_POST_ROUTING),
 		.me		= THIS_MODULE,
 	},
 };

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

WARNING: multiple messages have this Message-ID (diff)

From: Venkat Yekkirala <vyekkirala@trustedcs.com>
To: netdev@vger.kernel.org, selinux@tycho.nsa.gov
Cc: jmorris@namei.org, sds@tycho.nsa.gov, chanson@trustedcs.com
Subject: [PATCH 4/7] secid reconciliation-v02: Invoke LSM hook for outbound traffic
Date: Fri, 08 Sep 2006 11:50:46 -0500	[thread overview]
Message-ID: <45019F66.20603@trustedcs.com> (raw)

Invoke the skb_netfilter_check LSM hook for outbound (OUTPUT/FORWARD)
traffic for secid reconciliation and flow control.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
---
 net/netfilter/xt_CONNSECMARK.c |   44 ++++++++++++++++++++++---------
 net/netfilter/xt_SECMARK.c     |   20 ++++++++++++--
 2 files changed, 50 insertions(+), 14 deletions(-)

diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 4673862..a79bd20 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -17,6 +17,8 @@
  */
 #include <linux/module.h>
 #include <linux/skbuff.h>
+#include <linux/security.h>
+#include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CONNSECMARK.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -47,20 +49,32 @@ static void secmark_save(struct sk_buff 
 }
 
 /*
- * If packet has no security mark, and the connection does, restore the
- * security mark from the connection to the packet.
+ * On the inbound, restore the security mark from the connection to the packet.
+ * On the outbound, filter based on the current secmark.
  */
-static void secmark_restore(struct sk_buff *skb)
+static unsigned int secmark_restore(struct sk_buff *skb, unsigned int hooknum,
+			   const struct xt_target *target)
 {
-	if (!skb->secmark) {
-		u32 *connsecmark;
-		enum ip_conntrack_info ctinfo;
+	u32 *psecmark;
+	u32 secmark = 0;
+	enum ip_conntrack_info ctinfo;
 
-		connsecmark = nf_ct_get_secmark(skb, &ctinfo);
-		if (connsecmark && *connsecmark)
-			if (skb->secmark != *connsecmark)
-				skb->secmark = *connsecmark;
-	}
+	psecmark = nf_ct_get_secmark(skb, &ctinfo);
+	if (psecmark)
+		secmark = *psecmark;
+
+	if (!secmark)
+		return XT_CONTINUE;
+
+	/* Set secmark on inbound and filter it on outbound */
+	if (hooknum == NF_IP_POST_ROUTING || hooknum == NF_IP6_POST_ROUTING) {
+		if (!security_skb_netfilter_check(skb, secmark))
+			return NF_DROP;
+	} else
+		if (skb->secmark != secmark)
+			skb->secmark = secmark;
+
+	return XT_CONTINUE;
 }
 
 static unsigned int target(struct sk_buff **pskb, const struct net_device *in,
@@ -77,7 +91,7 @@ static unsigned int target(struct sk_buf
 		break;
 
 	case CONNSECMARK_RESTORE:
-		secmark_restore(skb);
+		return secmark_restore(skb, hooknum, target);
 		break;
 
 	default:
@@ -114,6 +128,9 @@ static struct xt_target xt_connsecmark_t
 		.target		= target,
 		.targetsize	= sizeof(struct xt_connsecmark_target_info),
 		.table		= "mangle",
+		.hooks		= (1 << NF_IP_LOCAL_IN) |
+				  (1 << NF_IP_FORWARD) |
+				  (1 << NF_IP_POST_ROUTING),
 		.me		= THIS_MODULE,
 	},
 	{
@@ -123,6 +140,9 @@ static struct xt_target xt_connsecmark_t
 		.target		= target,
 		.targetsize	= sizeof(struct xt_connsecmark_target_info),
 		.table		= "mangle",
+		.hooks		= (1 << NF_IP6_LOCAL_IN) |
+				  (1 << NF_IP6_FORWARD) |
+				  (1 << NF_IP6_POST_ROUTING),
 		.me		= THIS_MODULE,
 	},
 };
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index add7521..de1de45 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -15,8 +15,10 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/selinux.h>
+#include <linux/security.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_SECMARK.h>
+#include <linux/netfilter_ipv6.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
@@ -47,8 +49,16 @@ static unsigned int target(struct sk_buf
 		BUG();
 	}
 
-	if ((*pskb)->secmark != secmark)
-		(*pskb)->secmark = secmark;
+	if (!secmark)
+		return XT_CONTINUE;
+
+	/* Set secmark on inbound and filter it on outbound */
+	if (hooknum == NF_IP_POST_ROUTING || hooknum == NF_IP6_POST_ROUTING) {
+		if (!security_skb_netfilter_check(*pskb, secmark))
+			return NF_DROP;
+	} else
+		if ((*pskb)->secmark != secmark)
+			(*pskb)->secmark = secmark;
 
 	return XT_CONTINUE;
 }
@@ -119,6 +129,9 @@ static struct xt_target xt_secmark_targe
 		.target		= target,
 		.targetsize	= sizeof(struct xt_secmark_target_info),
 		.table		= "mangle",
+		.hooks		= (1 << NF_IP_LOCAL_IN) |
+				  (1 << NF_IP_FORWARD) |
+				  (1 << NF_IP_POST_ROUTING),
 		.me		= THIS_MODULE,
 	},
 	{
@@ -128,6 +141,9 @@ static struct xt_target xt_secmark_targe
 		.target		= target,
 		.targetsize	= sizeof(struct xt_secmark_target_info),
 		.table		= "mangle",
+		.hooks		= (1 << NF_IP6_LOCAL_IN) |
+				  (1 << NF_IP6_FORWARD) |
+				  (1 << NF_IP6_POST_ROUTING),
 		.me		= THIS_MODULE,
 	},
 };

next             reply	other threads:[~2006-09-08 16:50 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-09-08 16:50 Venkat Yekkirala [this message]
2006-09-08 16:50 ` [PATCH 4/7] secid reconciliation-v02: Invoke LSM hook for outbound traffic Venkat Yekkirala
2006-09-18 18:19 ` James Morris
2006-09-18 18:19   ` James Morris
2006-09-18 19:12 ` James Morris
2006-09-18 19:12   ` James Morris

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4673862 dfblob:a79bd20 dfblob:add7521 dfblob:de1de45
dfblob:4673862 dfblob:a79bd20 dfblob:add7521 dfblob:de1de45 )
 OR (
bs:"[PATCH 4/7] secid reconciliation-v02: Invoke LSM hook for outbound traffic" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45019F66.20603@trustedcs.com \
    --to=vyekkirala@trustedcs.com \
    --cc=chanson@TrustedCS.com \
    --cc=jmorris@namei.org \
    --cc=netdev@vger.kernel.org \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.