[PATCH 1/2] iptables (userspace): add secmark match

[PATCH 1/2] iptables (userspace): add secmark match

[Mr Dash Four]

This patch is part of the userspace changes needed for the "secmark" match
in iptables.

Signed-off-by: Mr Dash Four <mr.dash.four@googlemail.com>
---
  extensions/libxt_secmark.c           |  100 ++++++++++++++++++++++++++++++++++
  extensions/libxt_secmark.man         |   22 ++++++++
  include/linux/netfilter/xt_secmark.h |   24 ++++++++
  3 files changed, 146 insertions(+)
  create mode 100644 extensions/libxt_secmark.c
  create mode 100644 extensions/libxt_secmark.man
  create mode 100644 include/linux/netfilter/xt_secmark.h

diff --git a/extensions/libxt_secmark.c b/extensions/libxt_secmark.c
new file mode 100644
index 0000000..92ecc6b
--- /dev/null
+++ b/extensions/libxt_secmark.c
@@ -0,0 +1,100 @@
+/*
+ * Shared library add-on to iptables to add secmark match support.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 (or
+ * any later at your option) as published by the Free Software Foundation.
+ */
+#include <stdbool.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <getopt.h>
+#include <xtables.h>
+
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_secmark.h>
+
+#define PFX "secmark match: "
+
+enum {
+	O_SELCTX = 0,
+};
+
+#define s struct xt_secmark_match_info
+static const struct xt_option_entry secmark_opts[] = {
+	{.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND|XTOPT_PUT, XTOPT_POINTER(s, secctx)},
+	XTOPT_TABLEEND,
+};
+#undef s
+
+static void secmark_help(void)
+{
+	printf("secmark match options:\n"
+	       " --selctx STRING              SELinux security context\n");
+}
+
+static void secmark_parse(struct xt_option_call *cb)
+{
+	struct xt_secmark_match_info *info = cb->data;
+
+	xtables_option_parse(cb);
+	switch (cb->entry->id) {
+	case O_SELCTX:
+		if (strchr(cb->arg, '\n') != NULL)
+			xtables_error(PARAMETER_PROBLEM, PFX
+				     "new lines not allowed in --selctx");
+		info->mode = SECMARK_MODE_SEL;
+		break;
+	}
+}
+
+static void
+secmark_print_selctx(const struct xt_secmark_match_info *info, char *str)
+{
+	switch (info->mode) {
+	case SECMARK_MODE_SEL:
+		printf(" %sselctx %s", str, info->secctx);
+		break;
+	
+	default:
+		xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+	}
+}
+
+static void secmark_print(const void *ip, const struct xt_entry_match *match,
+                        int numeric)
+{
+	const struct xt_secmark_match_info *info =
+		(struct xt_secmark_match_info *)match->data;
+
+	secmark_print_selctx(info, "");
+}
+
+static void secmark_save(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_secmark_match_info *info =
+		(struct xt_secmark_match_info *)match->data;
+
+	secmark_print_selctx(info, "--");
+}
+
+static struct xtables_match secmark_match = {
+	.family		= NFPROTO_UNSPEC,
+	.name		= "secmark",
+	.version	= XTABLES_VERSION,
+	.revision	= 0,
+	.size		= XT_ALIGN(sizeof(struct xt_secmark_match_info)),
+	.userspacesize	= XT_ALIGN(sizeof(struct xt_secmark_match_info)),
+	.help		= secmark_help,
+	.print		= secmark_print,
+	.save		= secmark_save,
+	.x6_parse	= secmark_parse,
+	.x6_options	= secmark_opts,
+};
+
+void _init(void)
+{
+	xtables_register_match(&secmark_match);
+}
diff --git a/extensions/libxt_secmark.man b/extensions/libxt_secmark.man
new file mode 100644
index 0000000..b38e32c
--- /dev/null
+++ b/extensions/libxt_secmark.man
@@ -0,0 +1,22 @@
+The secmark match is used to match the security mark value
+associated with a packet.
+.PP
+Only one option is available with this match which needs
+to be specified:
+.TP
+\fB\-\-selctx\fP \fIselctx\fP
+This option selects the SELinux security context (\fBselctx\fP) to
+be used for packet matching. This security context needs to have already
+been assigned to a packet by using the \fBSECMARK\fP target.
+.PP
+For this extension to be used, the appropriate SELinux support needs
+to be installed and present in the Linux kernel.
+.PP
+Examples:
+.IP
+iptables \-I INPUT \-p icmp \-\-icmp-type 3 \-m secmark \-\-selctx
+system_u:object_r:dns_packet_t:s0 \-j ACCEPT
+.IP
+iptables \-I OUTPUT \-m secmark \-\-selctx
+system_u:object_r:ssh_packet_t:s0 \-j DROP
+
diff --git a/include/linux/netfilter/xt_secmark.h b/include/linux/netfilter/xt_secmark.h
new file mode 100644
index 0000000..c74a35d
--- /dev/null
+++ b/include/linux/netfilter/xt_secmark.h
@@ -0,0 +1,24 @@
+#ifndef _XT_SECMARK_MATCH_H
+#define _XT_SECMARK_MATCH_H
+
+#include <linux/types.h>
+
+/*
+ * Header file for iptables xt_secmark match
+ *
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL	0x01		/* SELinux */
+#define SECMARK_SECCTX_MAX	256
+
+struct xt_secmark_match_info {
+	__u8 mode;
+	__u32 secid;
+	char secctx[SECMARK_SECCTX_MAX];
+};
+
+#endif /* _XT_SECMARK_MATCH_H */

Re: [PATCH 1/2] iptables (userspace): add secmark match

[Pablo Neira Ayuso]

On Tue, Mar 05, 2013 at 12:48:47PM +0000, Mr Dash Four wrote:
> This patch is part of the userspace changes needed for the "secmark" match
> in iptables.

SELinux already provides the framework to define your network policy
based on the secmark. I don't see why we need this in iptables.

Re: [PATCH 1/2] iptables (userspace): add secmark match

[Mr Dash Four]

Pablo Neira Ayuso wrote:
> On Tue, Mar 05, 2013 at 12:48:47PM +0000, Mr Dash Four wrote:
>   
>> This patch is part of the userspace changes needed for the "secmark" match
>> in iptables.
>>     
>
> SELinux already provides the framework to define your network policy
> based on the secmark. I don't see why we need this in iptables.
>   
I am not sure what to make of your response above Pablo. The purpose of 
the patch isn't to replace what SELinux already provides, but to make 
full use of that security framework. Are you questioning the purpose or 
usefulness of the patch in general? Elaborate please.

Re: [PATCH 1/2] iptables (userspace): add secmark match

[Mr Dash Four]

Mr Dash Four wrote:
>
>
> Pablo Neira Ayuso wrote:
>> On Tue, Mar 05, 2013 at 12:48:47PM +0000, Mr Dash Four wrote:
>>  
>>> This patch is part of the userspace changes needed for the "secmark" 
>>> match
>>> in iptables.
>>>     
>>
>> SELinux already provides the framework to define your network policy
>> based on the secmark. I don't see why we need this in iptables.
>>   
> I am not sure what to make of your response above Pablo. The purpose 
> of the patch isn't to replace what SELinux already provides, but to 
> make full use of that security framework. Are you questioning the 
> purpose or usefulness of the patch in general? Elaborate please.
So?

Re: [PATCH 1/2] iptables (userspace): add secmark match

[Mr Dash Four]

Mr Dash Four wrote:
>
>
> Mr Dash Four wrote:
>>
>>
>> Pablo Neira Ayuso wrote:
>>> On Tue, Mar 05, 2013 at 12:48:47PM +0000, Mr Dash Four wrote:
>>>  
>>>> This patch is part of the userspace changes needed for the 
>>>> "secmark" match
>>>> in iptables.
>>>>     
>>>
>>> SELinux already provides the framework to define your network policy
>>> based on the secmark. I don't see why we need this in iptables.
>>>   
>> I am not sure what to make of your response above Pablo. The purpose 
>> of the patch isn't to replace what SELinux already provides, but to 
>> make full use of that security framework. Are you questioning the 
>> purpose or usefulness of the patch in general? Elaborate please.
> So?
Pablo, do you intend to address this or not?