From mboxrd@z Thu Jan 1 00:00:00 1970 From: Florian Westphal Subject: Re: [PATCH v3] nfnetlink_queue: add security context information Date: Wed, 10 Jun 2015 18:05:41 +0200 Message-ID: <20150610160541.GD7125@breakpoint.cc> References: <5562F661.5000503@samsung.com> <20150525131319.GA3529@salvia> <55634935.4020100@samsung.com> <20150525205210.GG3629@breakpoint.cc> <55646731.9040803@samsung.com> <20150526130623.GD7817@breakpoint.cc> <5565A4D2.70701@samsung.com> <5565A6AA.90908@samsung.com> <20150527124957.GA19819@salvia> <557855B2.8030803@samsung.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Pablo Neira Ayuso , Florian Westphal , netfilter-devel@vger.kernel.org, =?utf-8?B?UmFmYcWC?= Krypa To: Roman Kubiak Return-path: Received: from Chamillionaire.breakpoint.cc ([80.244.247.6]:48104 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754244AbbFJQFo (ORCPT ); Wed, 10 Jun 2015 12:05:44 -0400 Content-Disposition: inline In-Reply-To: <557855B2.8030803@samsung.com> Sender: netfilter-devel-owner@vger.kernel.org List-ID: Roman Kubiak wrote: > diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h > index 8dd819e..b67a853 100644 > --- a/include/uapi/linux/netfilter/nfnetlink_queue.h > +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h > @@ -49,6 +49,7 @@ enum nfqnl_attr_type { > NFQA_EXP, /* nf_conntrack_netlink.h */ > NFQA_UID, /* __u32 sk uid */ > NFQA_GID, /* __u32 sk gid */ > + NFQA_SECCTX, /* security context string */ > > __NFQA_MAX > }; > @@ -102,7 +103,8 @@ enum nfqnl_attr_config { > #define NFQA_CFG_F_CONNTRACK (1 << 1) > #define NFQA_CFG_F_GSO (1 << 2) > #define NFQA_CFG_F_UID_GID (1 << 3) > -#define NFQA_CFG_F_MAX (1 << 4) > +#define NFQA_CFG_F_SECCTX (1 << 4) > +#define NFQA_CFG_F_MAX (1 << 5) > > /* flags for NFQA_SKB_INFO */ > /* packet appears to have wrong checksums, but they are ok */ > diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c > index 0b98c74..2c35112 100644 > --- a/net/netfilter/nfnetlink_queue_core.c > +++ b/net/netfilter/nfnetlink_queue_core.c > @@ -278,6 +278,24 @@ nla_put_failure: > return -1; > } > > +static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) > +{ > + u32 seclen = 0; place #if IS_ENABLED(CONFIG_NETWORK_SECMARK) here? I also think it makes sense to reject NFQA_CFG_F_SECCTX config flag in nfqnl_recv_config() when IS_ENABLED(CONFIG_NETWORK_SECMARK) is not set; i'd suggest to return EOPNOTSUPP in that case.