[PATCH] libmnl: security context retrieval in nf-queue example

[Roman Kubiak <r.kubiak@samsung.com>]

This patch is an addition to "[PATCH v3] nfnetlink_queue: add security context information"
It adds and example to libmnl that illustrates how to fetch security context.
A corresponding patch was sent for libnetfilter_queue already.

-- cut here

This patch modifies the example program for nf-queue
to demonstrate how to retriece security context information
for queued packages. This can also be easily extended to
retrieve other information supported by this subsystem.

Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
---
 examples/netfilter/nf-queue.c | 43 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/examples/netfilter/nf-queue.c b/examples/netfilter/nf-queue.c
index 957e365..adafbed 100644
--- a/examples/netfilter/nf-queue.c
+++ b/examples/netfilter/nf-queue.c
@@ -21,7 +21,7 @@ static int parse_attr_cb(const struct nlattr *attr, void *data)
 		return MNL_CB_OK;
 
 	switch(type) {
-	case NFQA_MARK:
+	case NFQA_SECCTX:
 	case NFQA_IFINDEX_INDEV:
 	case NFQA_IFINDEX_OUTDEV:
 	case NFQA_IFINDEX_PHYSINDEV:
@@ -56,17 +56,25 @@ static int queue_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct nlattr *tb[NFQA_MAX+1] = {};
 	struct nfqnl_msg_packet_hdr *ph = NULL;
-	uint32_t id = 0;
+	uint32_t id = 0, seclen = 0;
+	const char *secctx = NULL;
 
 	mnl_attr_parse(nlh, sizeof(struct nfgenmsg), parse_attr_cb, tb);
 	if (tb[NFQA_PACKET_HDR]) {
 		ph = mnl_attr_get_payload(tb[NFQA_PACKET_HDR]);
 		id = ntohl(ph->packet_id);
 
-		printf("packet received (id=%u hw=0x%04x hook=%u)\n",
+		printf("packet received (id=%u hw=0x%04x hook=%u",
 		       id, ntohs(ph->hw_protocol), ph->hook);
 	}
 
+	if (tb[NFQA_SECCTX]) {
+		seclen = mnl_attr_get_payload_len(tb[NFQA_SECCTX]);
+		secctx = mnl_attr_get_str(tb[NFQA_SECCTX]);
+		printf(" secctx=%.*s", seclen, secctx);
+	}
+
+	printf(")\n");
 	return MNL_CB_OK + id;
 }
 
@@ -112,6 +120,27 @@ nfq_build_cfg_request(char *buf, uint8_t command, int queue_num)
 }
 
 static struct nlmsghdr *
+nfq_build_cfg_flags(char *buf, uint32_t mask, uint32_t flags, int queue_num)
+{
+	struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
+	nlh->nlmsg_type	= (NFNL_SUBSYS_QUEUE << 8) | NFQNL_MSG_CONFIG;
+	nlh->nlmsg_flags = NLM_F_REQUEST;
+
+	struct nfgenmsg *nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
+	nfg->nfgen_family = AF_UNSPEC;
+	nfg->version = NFNETLINK_V0;
+	nfg->res_id = htons(queue_num);
+
+	mask = htonl(mask);
+	flags = htonl(flags);
+
+	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, flags);
+	mnl_attr_put_u32(nlh, NFQA_CFG_MASK, mask);
+
+	return nlh;
+}
+
+static struct nlmsghdr *
 nfq_build_cfg_params(char *buf, uint8_t mode, int range, int queue_num)
 {
 	struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
@@ -209,6 +238,14 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
+	nlh = nfq_build_cfg_flags(buf, NFQA_CFG_F_SECCTX,
+					NFQA_CFG_F_SECCTX, queue_num);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		perror("mnl_socket_sendto");
+		exit(EXIT_FAILURE);
+	}
+
 	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
 	if (ret == -1) {
 		perror("mnl_socket_recvfrom");
-- 
2.0.1


On 06/12/2015 03:02 PM, Pablo Neira Ayuso wrote:
> On Fri, Jun 12, 2015 at 12:32:57PM +0200, Roman Kubiak wrote:
>> This way works and seems sensible (i tested it)
>>
>> a fixed patch below
>>
>> -- cut here
>>
>> This patch adds an additional attribute when sending
>> packet information via netlink in netfilter_queue module.
>> It will send additional security context data, so that
>> userspace applications can verify this context against
>> their own security databases.
> 
> Please, send the corresponding userspace updates for this. Thanks.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
--------------
 Roman Kubiak
--------------