[PATCH 0/2] Security: Add security tables for mandatory access control

[PATCH 0/2] Security: Add security tables for mandatory access control

[James Morris]

The following patches add a new ip[6]tables "security" table, for use with 
mandatory access control (MAC) security schemes.

This follows on from an RFC post earlier in the year:
http://thread.gmane.org/gmane.linux.redhat.fedora.selinux/8490

In a nutshell, the need for this arises from the fact that MAC labeling 
rules utilizing iptables via SECMARK and CONNSECMARK are not subject to 
discretionary security policy (i.e. not even "root" or a user with 
CAP_NET_ADMIN may be able to modify these rules).

So, a separate table is proposed here to allow these administrative 
security domains to be separated, and specifically to assist with distro 
integration.

Patches for IPv4 and IPv6 follow.

Please review and consider for 2.6.27.


- James
-- 
James Morris
<jmorris@namei.org>

[PATCH 1/2] Security: Add iptables security table for mandatory access control rules

[James Morris]

The following patch implements a new "security" table for iptables, so
that MAC (SELinux etc.) networking rules can be managed separately to
standard DAC rules.

This is to help with distro integration of the new secmark-based
network controls, per various previous discussions.

The need for a separate table arises from the fact that existing tools
and usage of iptables will likely clash with centralized MAC policy
management.

The SECMARK and CONNSECMARK targets will still be valid in the mangle
table to prevent breakage of existing users.

Signed-off-by: James Morris <jmorris@namei.org>
---
 include/linux/netfilter_ipv4.h        |    1 +
 include/net/netns/ipv4.h              |    1 +
 net/ipv4/netfilter/Kconfig            |   11 ++
 net/ipv4/netfilter/Makefile           |    1 +
 net/ipv4/netfilter/iptable_security.c |  180 +++++++++++++++++++++++++++++++++
 net/netfilter/xt_CONNSECMARK.c        |   10 ++-
 net/netfilter/xt_SECMARK.c            |   10 ++-
 7 files changed, 208 insertions(+), 6 deletions(-)
 create mode 100644 net/ipv4/netfilter/iptable_security.c

diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 650318b..29c7727 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -60,6 +60,7 @@ enum nf_ip_hook_priorities {
 	NF_IP_PRI_MANGLE = -150,
 	NF_IP_PRI_NAT_DST = -100,
 	NF_IP_PRI_FILTER = 0,
+	NF_IP_PRI_SECURITY = 50,
 	NF_IP_PRI_NAT_SRC = 100,
 	NF_IP_PRI_SELINUX_LAST = 225,
 	NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 34ee348..6ef90b5 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -36,6 +36,7 @@ struct netns_ipv4 {
 	struct xt_table		*iptable_mangle;
 	struct xt_table		*iptable_raw;
 	struct xt_table		*arptable_filter;
+	struct xt_table		*iptable_security;
 #endif
 
 	int sysctl_icmp_echo_ignore_all;
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 2767841..9c1d6aa 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -365,6 +365,17 @@ config IP_NF_RAW
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
+# security table for MAC policy
+config IP_NF_SECURITY
+	tristate "Security table"
+	depends on IP_NF_IPTABLES
+	default m if NETFILTER_ADVANCED=n
+	help
+	  This option adds a `security' table to iptables, for use
+	  with Mandatory Access Control (MAC) policy.
+	  
+	  If unsure, say N.
+
 # ARP tables
 config IP_NF_ARPTABLES
 	tristate "ARP tables support"
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index d9b92fb..3f31291 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -42,6 +42,7 @@ obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
 obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
 obj-$(CONFIG_NF_NAT) += iptable_nat.o
 obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
+obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
 
 # matches
 obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
new file mode 100644
index 0000000..5eeeff9
--- /dev/null
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -0,0 +1,180 @@
+/*
+ * "security" table
+ *
+ * This is for use by Mandatory Access Control (MAC) security models,
+ * which need to be able to manage security policy in separate context
+ * to DAC.
+ *
+ * Based on iptable_mangle.c
+ *
+ * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
+ * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org>
+ * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <net/ip.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
+MODULE_DESCRIPTION("iptables security table, for MAC rules");
+
+#define SECURITY_VALID_HOOKS	(1 << NF_INET_LOCAL_IN) | \
+				(1 << NF_INET_FORWARD) | \
+				(1 << NF_INET_LOCAL_OUT)
+
+static struct
+{
+	struct ipt_replace repl;
+	struct ipt_standard entries[3];
+	struct ipt_error term;
+} initial_table __initdata = {
+	.repl = {
+		.name = "security",
+		.valid_hooks = SECURITY_VALID_HOOKS,
+		.num_entries = 4,
+		.size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
+		.hook_entry = {
+			[NF_INET_LOCAL_IN] 	= 0,
+			[NF_INET_FORWARD] 	= sizeof(struct ipt_standard),
+			[NF_INET_LOCAL_OUT] 	= sizeof(struct ipt_standard) * 2,
+		},
+		.underflow = {
+			[NF_INET_LOCAL_IN] 	= 0,
+			[NF_INET_FORWARD] 	= sizeof(struct ipt_standard),
+			[NF_INET_LOCAL_OUT] 	= sizeof(struct ipt_standard) * 2,
+		},
+	},
+	.entries = {
+		IPT_STANDARD_INIT(NF_ACCEPT),	/* LOCAL_IN */
+		IPT_STANDARD_INIT(NF_ACCEPT),	/* FORWARD */
+		IPT_STANDARD_INIT(NF_ACCEPT),	/* LOCAL_OUT */
+	},
+	.term = IPT_ERROR_INIT,			/* ERROR */
+};
+
+static struct xt_table security_table = {
+	.name		= "security",
+	.valid_hooks	= SECURITY_VALID_HOOKS,
+	.lock		= __RW_LOCK_UNLOCKED(security_table.lock),
+	.me		= THIS_MODULE,
+	.af		= AF_INET,
+};
+
+static unsigned int
+ipt_local_in_hook(unsigned int hook,
+		  struct sk_buff *skb,
+		  const struct net_device *in,
+		  const struct net_device *out,
+		  int (*okfn)(struct sk_buff *))
+{
+	return ipt_do_table(skb, hook, in, out,
+			    nf_local_in_net(in, out)->ipv4.iptable_security);
+}
+
+static unsigned int
+ipt_forward_hook(unsigned int hook,
+		 struct sk_buff *skb,
+		 const struct net_device *in,
+		 const struct net_device *out,
+		 int (*okfn)(struct sk_buff *))
+{
+	return ipt_do_table(skb, hook, in, out,
+			    nf_forward_net(in, out)->ipv4.iptable_security);
+}
+
+static unsigned int
+ipt_local_out_hook(unsigned int hook,
+		   struct sk_buff *skb,
+		   const struct net_device *in,
+		   const struct net_device *out,
+		   int (*okfn)(struct sk_buff *))
+{
+	/* Somebody is playing with raw sockets. */
+	if (skb->len < sizeof(struct iphdr)
+	    || ip_hdrlen(skb) < sizeof(struct iphdr)) {
+		if (net_ratelimit())
+			printk(KERN_INFO "iptable_security: ignoring short "
+			       "SOCK_RAW packet.\n");
+		return NF_ACCEPT;
+	}
+	return ipt_do_table(skb, hook, in, out,
+			    nf_local_out_net(in, out)->ipv4.iptable_security);
+}
+
+static struct nf_hook_ops ipt_ops[] __read_mostly = {
+	{
+		.hook		= ipt_local_in_hook,
+		.owner		= THIS_MODULE,
+		.pf		= PF_INET,
+		.hooknum	= NF_INET_LOCAL_IN,
+		.priority	= NF_IP_PRI_SECURITY,
+	},
+	{
+		.hook		= ipt_forward_hook,
+		.owner		= THIS_MODULE,
+		.pf		= PF_INET,
+		.hooknum	= NF_INET_FORWARD,
+		.priority	= NF_IP_PRI_SECURITY,
+	},
+	{
+		.hook		= ipt_local_out_hook,
+		.owner		= THIS_MODULE,
+		.pf		= PF_INET,
+		.hooknum	= NF_INET_LOCAL_OUT,
+		.priority	= NF_IP_PRI_SECURITY,
+	},
+};
+
+static int __net_init iptable_security_net_init(struct net *net)
+{
+	net->ipv4.iptable_security =
+		ipt_register_table(net, &security_table, &initial_table.repl);
+		
+	if (IS_ERR(net->ipv4.iptable_security))
+		return PTR_ERR(net->ipv4.iptable_security);
+		
+	return 0;
+}
+
+static void __net_exit iptable_security_net_exit(struct net *net)
+{
+	ipt_unregister_table(net->ipv4.iptable_security);
+}
+
+static struct pernet_operations iptable_security_net_ops = {
+	.init = iptable_security_net_init,
+	.exit = iptable_security_net_exit,
+};
+
+static int __init iptable_security_init(void)
+{
+	int ret;
+
+	ret = register_pernet_subsys(&iptable_security_net_ops);
+        if (ret < 0)
+		return ret;
+
+	ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+	if (ret < 0)
+		goto cleanup_table;
+
+	return ret;
+
+cleanup_table:
+	unregister_pernet_subsys(&iptable_security_net_ops);
+	return ret;
+}
+
+static void __exit iptable_security_fini(void)
+{
+	nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
+	unregister_pernet_subsys(&iptable_security_net_ops);
+}
+
+module_init(iptable_security_init);
+module_exit(iptable_security_fini);
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 211189e..76ca1f2 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -8,7 +8,7 @@
  *   Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
  *    by Henrik Nordstrom <hno@marasystems.com>
  *
- * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -94,6 +94,12 @@ connsecmark_tg_check(const char *tablename, const void *entry,
 {
 	const struct xt_connsecmark_target_info *info = targinfo;
 
+	if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) {
+		printk(KERN_INFO PFX "target only valid in the \'mangle\' "
+		       "or \'security\' tables, not \'%s\'.\n", tablename);
+		return false;
+	}
+
 	switch (info->mode) {
 	case CONNSECMARK_SAVE:
 	case CONNSECMARK_RESTORE:
@@ -126,7 +132,6 @@ static struct xt_target connsecmark_tg_reg[] __read_mostly = {
 		.destroy	= connsecmark_tg_destroy,
 		.target		= connsecmark_tg,
 		.targetsize	= sizeof(struct xt_connsecmark_target_info),
-		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 	{
@@ -136,7 +141,6 @@ static struct xt_target connsecmark_tg_reg[] __read_mostly = {
 		.destroy	= connsecmark_tg_destroy,
 		.target		= connsecmark_tg,
 		.targetsize	= sizeof(struct xt_connsecmark_target_info),
-		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 };
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index c028485..94f87ee 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -5,7 +5,7 @@
  * Based on the nfmark match by:
  * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
  *
- * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -89,6 +89,12 @@ secmark_tg_check(const char *tablename, const void *entry,
 {
 	struct xt_secmark_target_info *info = targinfo;
 
+	if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) {
+		printk(KERN_INFO PFX "target only valid in the \'mangle\' "
+		       "or \'security\' tables, not \'%s\'.\n", tablename);
+		return false;
+	}
+
 	if (mode && mode != info->mode) {
 		printk(KERN_INFO PFX "mode already set to %hu cannot mix with "
 		       "rules for mode %hu\n", mode, info->mode);
@@ -127,7 +133,6 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
 		.destroy	= secmark_tg_destroy,
 		.target		= secmark_tg,
 		.targetsize	= sizeof(struct xt_secmark_target_info),
-		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 	{
@@ -137,7 +142,6 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
 		.destroy	= secmark_tg_destroy,
 		.target		= secmark_tg,
 		.targetsize	= sizeof(struct xt_secmark_target_info),
-		.table		= "mangle",
 		.me		= THIS_MODULE,
 	},
 };
-- 
1.5.5.1

[PATCH 2/2] Security: Add ip6tables security table

[James Morris]

This is a port of the IPv4 security table for IPv6.

Signed-off-by: James Morris <jmorris@namei.org>
---
 include/linux/netfilter_ipv6.h         |    1 +
 include/net/netns/ipv6.h               |    1 +
 net/ipv6/netfilter/Kconfig             |   11 ++
 net/ipv6/netfilter/Makefile            |    1 +
 net/ipv6/netfilter/ip6table_security.c |  172 ++++++++++++++++++++++++++++++++
 5 files changed, 186 insertions(+), 0 deletions(-)
 create mode 100644 net/ipv6/netfilter/ip6table_security.c

diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 3475a65..fd50988 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -64,6 +64,7 @@ enum nf_ip6_hook_priorities {
 	NF_IP6_PRI_MANGLE = -150,
 	NF_IP6_PRI_NAT_DST = -100,
 	NF_IP6_PRI_FILTER = 0,
+	NF_IP6_PRI_SECURITY = 50,
 	NF_IP6_PRI_NAT_SRC = 100,
 	NF_IP6_PRI_SELINUX_LAST = 225,
 	NF_IP6_PRI_LAST = INT_MAX,
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index ac053be..5bacd83 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -35,6 +35,7 @@ struct netns_ipv6 {
 	struct xt_table		*ip6table_filter;
 	struct xt_table		*ip6table_mangle;
 	struct xt_table		*ip6table_raw;
+	struct xt_table		*ip6table_security;
 #endif
 	struct rt6_info         *ip6_null_entry;
 	struct rt6_statistics   *rt6_stats;
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 6cae547..353ee15 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -208,5 +208,16 @@ config IP6_NF_RAW
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
+# security table for MAC policy
+config IP6_NF_SECURITY
+       tristate "Security table"
+       depends on IP6_NF_IPTABLES
+       default m if NETFILTER_ADVANCED=n
+       help
+         This option adds a `security' table to iptables, for use
+         with Mandatory Access Control (MAC) policy.
+         
+         If unsure, say N.
+
 endmenu
 
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index fbf2c14..3f17c94 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -8,6 +8,7 @@ obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
 obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
 obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
+obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o
 
 # objects for l3 independent conntrack
 nf_conntrack_ipv6-objs  :=  nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o nf_conntrack_reasm.o
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
new file mode 100644
index 0000000..2f509b3
--- /dev/null
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -0,0 +1,172 @@
+/*
+ * "security" table for IPv6
+ *
+ * This is for use by Mandatory Access Control (MAC) security models,
+ * which need to be able to manage security policy in separate context
+ * to DAC.
+ *
+ * Based on iptable_mangle.c
+ *
+ * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
+ * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org>
+ * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
+MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
+
+#define SECURITY_VALID_HOOKS	(1 << NF_INET_LOCAL_IN) | \
+				(1 << NF_INET_FORWARD) | \
+				(1 << NF_INET_LOCAL_OUT)
+
+static struct
+{
+	struct ip6t_replace repl;
+	struct ip6t_standard entries[3];
+	struct ip6t_error term;
+} initial_table __initdata = {
+	.repl = {
+		.name = "security",
+		.valid_hooks = SECURITY_VALID_HOOKS,
+		.num_entries = 4,
+		.size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
+		.hook_entry = {
+			[NF_INET_LOCAL_IN] 	= 0,
+			[NF_INET_FORWARD] 	= sizeof(struct ip6t_standard),
+			[NF_INET_LOCAL_OUT] 	= sizeof(struct ip6t_standard) * 2,
+		},
+		.underflow = {
+			[NF_INET_LOCAL_IN] 	= 0,
+			[NF_INET_FORWARD] 	= sizeof(struct ip6t_standard),
+			[NF_INET_LOCAL_OUT] 	= sizeof(struct ip6t_standard) * 2,
+		},
+	},
+	.entries = {
+		IP6T_STANDARD_INIT(NF_ACCEPT),	/* LOCAL_IN */
+		IP6T_STANDARD_INIT(NF_ACCEPT),	/* FORWARD */
+		IP6T_STANDARD_INIT(NF_ACCEPT),	/* LOCAL_OUT */
+	},
+	.term = IP6T_ERROR_INIT,		/* ERROR */
+};
+
+static struct xt_table security_table = {
+	.name		= "security",
+	.valid_hooks	= SECURITY_VALID_HOOKS,
+	.lock		= __RW_LOCK_UNLOCKED(security_table.lock),
+	.me		= THIS_MODULE,
+	.af		= AF_INET6,
+};
+
+static unsigned int
+ip6t_local_in_hook(unsigned int hook,
+		   struct sk_buff *skb,
+		   const struct net_device *in,
+		   const struct net_device *out,
+		   int (*okfn)(struct sk_buff *))
+{
+	return ip6t_do_table(skb, hook, in, out,
+			     init_net.ipv6.ip6table_security);
+}
+
+static unsigned int
+ip6t_forward_hook(unsigned int hook,
+		  struct sk_buff *skb,
+		  const struct net_device *in,
+		  const struct net_device *out,
+		  int (*okfn)(struct sk_buff *))
+{
+	return ip6t_do_table(skb, hook, in, out,
+		 	     init_net.ipv6.ip6table_security);
+}
+
+static unsigned int
+ip6t_local_out_hook(unsigned int hook,
+		    struct sk_buff *skb,
+		    const struct net_device *in,
+		    const struct net_device *out,
+		    int (*okfn)(struct sk_buff *))
+{
+	/* TBD: handle short packets via raw socket */
+	return ip6t_do_table(skb, hook, in, out,
+			     init_net.ipv6.ip6table_security);
+}
+
+static struct nf_hook_ops ip6t_ops[] __read_mostly = {
+	{
+		.hook		= ip6t_local_in_hook,
+		.owner		= THIS_MODULE,
+		.pf		= PF_INET6,
+		.hooknum	= NF_INET_LOCAL_IN,
+		.priority	= NF_IP6_PRI_SECURITY,
+	},
+	{
+		.hook		= ip6t_forward_hook,
+		.owner		= THIS_MODULE,
+		.pf		= PF_INET6,
+		.hooknum	= NF_INET_FORWARD,
+		.priority	= NF_IP6_PRI_SECURITY,
+	},
+	{
+		.hook		= ip6t_local_out_hook,
+		.owner		= THIS_MODULE,
+		.pf		= PF_INET6,
+		.hooknum	= NF_INET_LOCAL_OUT,
+		.priority	= NF_IP6_PRI_SECURITY,
+	},
+};
+
+static int __net_init ip6table_security_net_init(struct net *net)
+{
+	net->ipv6.ip6table_security =
+		ip6t_register_table(net, &security_table, &initial_table.repl);
+		
+	if (IS_ERR(net->ipv6.ip6table_security))
+		return PTR_ERR(net->ipv6.ip6table_security);
+		
+	return 0;
+}
+
+static void __net_exit ip6table_security_net_exit(struct net *net)
+{
+	ip6t_unregister_table(net->ipv6.ip6table_security);
+}
+
+static struct pernet_operations ip6table_security_net_ops = {
+	.init = ip6table_security_net_init,
+	.exit = ip6table_security_net_exit,
+};
+
+static int __init ip6table_security_init(void)
+{
+	int ret;
+
+	ret = register_pernet_subsys(&ip6table_security_net_ops);
+	if (ret < 0)
+		return ret;
+
+	ret = nf_register_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+	if (ret < 0)
+		goto cleanup_table;
+
+	return ret;
+
+cleanup_table:
+	unregister_pernet_subsys(&ip6table_security_net_ops);
+	return ret;
+}
+
+static void __exit ip6table_security_fini(void)
+{
+	nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
+	unregister_pernet_subsys(&ip6table_security_net_ops);
+}
+
+module_init(ip6table_security_init);
+module_exit(ip6table_security_fini);
-- 
1.5.5.1

Re: [PATCH 1/2] Security: Add iptables security table for mandatory access control rules

[Patrick McHardy]

James Morris wrote:
> The following patch implements a new "security" table for iptables, so
> that MAC (SELinux etc.) networking rules can be managed separately to
> standard DAC rules.
> 
> This is to help with distro integration of the new secmark-based
> network controls, per various previous discussions.
> 
> The need for a separate table arises from the fact that existing tools
> and usage of iptables will likely clash with centralized MAC policy
> management.
> 
> The SECMARK and CONNSECMARK targets will still be valid in the mangle
> table to prevent breakage of existing users.

Thanks James, just one question:

> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -365,6 +365,17 @@ config IP_NF_RAW
>  	  If you want to compile it as a module, say M here and read
>  	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
>  
> +# security table for MAC policy
> +config IP_NF_SECURITY
> +	tristate "Security table"
> +	depends on IP_NF_IPTABLES
> +	default m if NETFILTER_ADVANCED=n

Is the table also useful without CONFIG_SECURITY? Otherwise
I'd suggest to add a dependency.

Re: [PATCH 1/2] Security: Add iptables security table for mandatory access control rules

[Patrick McHardy]

James Morris wrote:
> The following patch implements a new "security" table for iptables, so
> that MAC (SELinux etc.) networking rules can be managed separately to
> standard DAC rules.
> 
> This is to help with distro integration of the new secmark-based
> network controls, per various previous discussions.
> 
> The need for a separate table arises from the fact that existing tools
> and usage of iptables will likely clash with centralized MAC policy
> management.
> 
> The SECMARK and CONNSECMARK targets will still be valid in the mangle
> table to prevent breakage of existing users.
> 
> Signed-off-by: James Morris <jmorris@namei.org>


Applied, thanks. I'll add the dependency myself in case you agree.

Re: [PATCH 2/2] Security: Add ip6tables security table

[Patrick McHardy]

James Morris wrote:
> This is a port of the IPv4 security table for IPv6.
> 
> Signed-off-by: James Morris <jmorris@namei.org>

Also applied, thanks.

Re: [PATCH 0/2] Security: Add security tables for mandatory access control

[Jan Engelhardt]

On Wednesday 2008-05-21 16:17, James Morris wrote:
>
>In a nutshell, the need for this arises from the fact that MAC labeling 
>rules utilizing iptables via SECMARK and CONNSECMARK are not subject to 
>discretionary security policy (i.e. not even "root" or a user with 
>CAP_NET_ADMIN may be able to modify these rules).

Yet I do not see any code to possibly prohibit changing the table.

Re: [PATCH 0/2] Security: Add security tables for mandatory access control

[James Morris]

On Thu, 22 May 2008, Jan Engelhardt wrote:

> 
> On Wednesday 2008-05-21 16:17, James Morris wrote:
> >
> >In a nutshell, the need for this arises from the fact that MAC labeling 
> >rules utilizing iptables via SECMARK and CONNSECMARK are not subject to 
> >discretionary security policy (i.e. not even "root" or a user with 
> >CAP_NET_ADMIN may be able to modify these rules).
> 
> Yet I do not see any code to possibly prohibit changing the table.

There are calls from SECMARK and CONNSECMARK into the SELinux API, which 
are the labeling targets.


- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 1/2] Security: Add iptables security table for mandatory access control rules

[James Morris]

On Wed, 21 May 2008, Patrick McHardy wrote:

> Applied, thanks. I'll add the dependency myself in case you agree.

Ok, I can't really see a use for the table without CONFIG_SECURITY, so 
please go ahead.


- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 1/2] Security: Add iptables security table for mandatory access control rules

[Patrick McHardy]

James Morris wrote:
> On Wed, 21 May 2008, Patrick McHardy wrote:
>
>   
>> Applied, thanks. I'll add the dependency myself in case you agree.
>>     
>
> Ok, I can't really see a use for the table without CONFIG_SECURITY, so 
> please go ahead.
>   

Done, thanks.

Re: [PATCH 0/2] Security: Add security tables for mandatory access control

[Jan Engelhardt]

On Thursday 2008-05-22 00:43, James Morris wrote:
>On Thu, 22 May 2008, Jan Engelhardt wrote:
>> On Wednesday 2008-05-21 16:17, James Morris wrote:
>> >
>> >In a nutshell, the need for this arises from the fact that MAC labeling 
>> >rules utilizing iptables via SECMARK and CONNSECMARK are not subject to 
>> >discretionary security policy (i.e. not even "root" or a user with 
>> >CAP_NET_ADMIN may be able to modify these rules).
>> 
>> Yet I do not see any code to possibly prohibit changing the table.
>
>There are calls from SECMARK and CONNSECMARK into the SELinux API, which 
>are the labeling targets.

But you cannot deny the deletion of a rule from within SECMARK—
there is not even a ->destroy function in that module.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2] Security: Add security tables for mandatory access control

[James Morris]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1657 bytes --]

On Thu, 22 May 2008, Jan Engelhardt wrote:

> 
> On Thursday 2008-05-22 00:43, James Morris wrote:
> >On Thu, 22 May 2008, Jan Engelhardt wrote:
> >> On Wednesday 2008-05-21 16:17, James Morris wrote:
> >> >
> >> >In a nutshell, the need for this arises from the fact that MAC labeling 
> >> >rules utilizing iptables via SECMARK and CONNSECMARK are not subject to 
> >> >discretionary security policy (i.e. not even "root" or a user with 
> >> >CAP_NET_ADMIN may be able to modify these rules).
> >> 
> >> Yet I do not see any code to possibly prohibit changing the table.
> >
> >There are calls from SECMARK and CONNSECMARK into the SELinux API, which 
> >are the labeling targets.
> 
> But you cannot deny the deletion of a rule from within SECMARKÿÿ
> there is not even a ->destroy function in that module.

There is a destroy function, although it is only used internally by 
SELinux for reference counting.

The xtables destroy method does not return a value and probably needs to 
unconditionally succeed in any case.

Possible solutions are:

- Add a new method which is designed specifically for applying access 
control to rule deletion.

- Add a flag to the table struct which indicates that an LSM hook should 
be called, which can then be used for all table manipulation on a coarse 
level (e.g. invoke "cap_mac_admin" or "load_policy" permission, or 
similar).


Note that coarse-grained control over deletion may be preferable, as we 
don't really know what effect the deletion will have (e.g. the packets may 
fall through to another rule which the user should not have been able to 
specify).



- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 0/2] Security: Add security tables for mandatory access control

[Jan Engelhardt]

On Monday 2008-05-26 10:06, James Morris wrote:
>> >
>> >There are calls from SECMARK and CONNSECMARK into the SELinux API, which 
>> >are the labeling targets.
>> 
>> But you cannot deny the deletion of a rule from within SECMARKÿÿ
>> there is not even a ->destroy function in that module.
>
>There is a destroy function, although it is only used internally by 
>SELinux for reference counting.
>
>The xtables destroy method does not return a value and probably needs to 
>unconditionally succeed in any case.
>
>Possible solutions are:
>
>- Add a new method which is designed specifically for applying access 
>control to rule deletion.
[...]

By the time the destroy function is called, it is already decided
the rule is going away--it is much more like a "cleanup" hook
for any private data the match/target had.

In fact, there is not even really a per-rule [rule={match,target}]
destroy function. A new table image is loaded and atomically
swapped with the previous one. You would rather want to call
security_*() in the ioctl phase.

But then again, the capability flag for net access could just be
split up, which is what people suggested to me about
CAP_SYS_ADMIN when twiddling with file access security hooks
last year.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/2] Security: Add security tables for mandatory access control

[James Morris]

On Mon, 26 May 2008, Jan Engelhardt wrote:

> In fact, there is not even really a per-rule [rule={match,target}]
> destroy function. A new table image is loaded and atomically
> swapped with the previous one. You would rather want to call
> security_*() in the ioctl phase.

It's possible the existing coarse-grained capability check that SELinux 
hooks into (cap_net_admin) is enough for rule deletion, given that we 
don't know the ultimate effect of deleting rules.  i.e. there may be no 
point in trying to further decompose that privilege.


- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 1/2] Security: Add iptables security table for mandatory access control rules

[James Morris]

On Thu, 22 May 2008, James Morris wrote:

> On Wed, 21 May 2008, Patrick McHardy wrote:
> 
> > Applied, thanks. I'll add the dependency myself in case you agree.
> 
> Ok, I can't really see a use for the table without CONFIG_SECURITY, so 
> please go ahead.

Patrick,

Do you intend to push this into 2.6.27 ?

(It would be appreciated).


- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 1/2] Security: Add iptables security table for mandatory access control rules

[Patrick McHardy]

James Morris wrote:
> On Thu, 22 May 2008, James Morris wrote:
> 
>> On Wed, 21 May 2008, Patrick McHardy wrote:
>>
>>> Applied, thanks. I'll add the dependency myself in case you agree.
>> Ok, I can't really see a use for the table without CONFIG_SECURITY, so 
>> please go ahead.
> 
> Patrick,
> 
> Do you intend to push this into 2.6.27 ?
> 
> (It would be appreciated).


Its currently in net-next-2.6.git, afaik Dave intends to send a
pull request this Sunday.