1 /*
2 * "security" table
3 *
4 * This is for use by Mandatory Access Control (MAC) security models,
5 * which need to be able to manage security policy in separate context
6 * to DAC.
7 *
8 * Based on iptable_mangle.c
9 *
10 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11 * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org>
12 * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com>
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License version 2 as
16 * published by the Free Software Foundation.
17 */
18 #include <linux/module.h>
19 #include <linux/netfilter_ipv4/ip_tables.h>
20 #include <net/ip.h>
21
22 MODULE_LICENSE("GPL");
23 MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
24 MODULE_DESCRIPTION("iptables security table, for MAC rules");
25
26 #define SECURITY_VALID_HOOKS (1 << NF_INET_LOCAL_IN) | \
27 (1 << NF_INET_FORWARD) | \
28 (1 << NF_INET_LOCAL_OUT)
29
30 static struct
31 {
32 struct ipt_replace repl;
33 struct ipt_standard entries[3];
34 struct ipt_error term;
35 } initial_table __net_initdata = {
36 .repl = {
37 .name = "security",
38 .valid_hooks = SECURITY_VALID_HOOKS,
39 .num_entries = 4,
40 .size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
41 .hook_entry = {
42 [NF_INET_LOCAL_IN] = 0,
43 [NF_INET_FORWARD] = sizeof(struct ipt_standard),
44 [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
45 },
46 .underflow = {
47 [NF_INET_LOCAL_IN] = 0,
48 [NF_INET_FORWARD] = sizeof(struct ipt_standard),
49 [NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard) * 2,
50 },
51 },
52 .entries = {
53 IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_IN */
54 IPT_STANDARD_INIT(NF_ACCEPT), /* FORWARD */
55 IPT_STANDARD_INIT(NF_ACCEPT), /* LOCAL_OUT */
56 },
57 .term = IPT_ERROR_INIT, /* ERROR */
58 };
59
60 static struct xt_table security_table = {
61 .name = "security",
62 .valid_hooks = SECURITY_VALID_HOOKS,
63 .me = THIS_MODULE,
64 .af = AF_INET,
65 };
66
67 static unsigned int
68 ipt_local_in_hook(unsigned int hook,
69 struct sk_buff *skb,
70 const struct net_device *in,
71 const struct net_device *out,
72 int (*okfn)(struct sk_buff *))
73 {
74 return ipt_do_table(skb, hook, in, out,
75 dev_net(in)->ipv4.iptable_security);
76 }
77
78 static unsigned int
79 ipt_forward_hook(unsigned int hook,
80 struct sk_buff *skb,
81 const struct net_device *in,
82 const struct net_device *out,
83 int (*okfn)(struct sk_buff *))
84 {
85 return ipt_do_table(skb, hook, in, out,
86 dev_net(in)->ipv4.iptable_security);
87 }
88
89 static unsigned int
90 ipt_local_out_hook(unsigned int hook,
91 struct sk_buff *skb,
92 const struct net_device *in,
93 const struct net_device *out,
94 int (*okfn)(struct sk_buff *))
95 {
96 /* Somebody is playing with raw sockets. */
97 if (skb->len < sizeof(struct iphdr)
98 || ip_hdrlen(skb) < sizeof(struct iphdr))
99 return NF_ACCEPT;
100 return ipt_do_table(skb, hook, in, out,
101 dev_net(out)->ipv4.iptable_security);
102 }
103
104 static struct nf_hook_ops ipt_ops[] __read_mostly = {
105 {
106 .hook = ipt_local_in_hook,
107 .owner = THIS_MODULE,
108 .pf = PF_INET,
109 .hooknum = NF_INET_LOCAL_IN,
110 .priority = NF_IP_PRI_SECURITY,
111 },
112 {
113 .hook = ipt_forward_hook,
114 .owner = THIS_MODULE,
115 .pf = PF_INET,
116 .hooknum = NF_INET_FORWARD,
117 .priority = NF_IP_PRI_SECURITY,
118 },
119 {
120 .hook = ipt_local_out_hook,
121 .owner = THIS_MODULE,
122 .pf = PF_INET,
123 .hooknum = NF_INET_LOCAL_OUT,
124 .priority = NF_IP_PRI_SECURITY,
125 },
126 };
127
128 static int __net_init iptable_security_net_init(struct net *net)
129 {
130 net->ipv4.iptable_security =
131 ipt_register_table(net, &security_table, &initial_table.repl);
132
133 if (IS_ERR(net->ipv4.iptable_security))
134 return PTR_ERR(net->ipv4.iptable_security);
135
136 return 0;
137 }
138
139 static void __net_exit iptable_security_net_exit(struct net *net)
140 {
141 ipt_unregister_table(net->ipv4.iptable_security);
142 }
143
144 static struct pernet_operations iptable_security_net_ops = {
145 .init = iptable_security_net_init,
146 .exit = iptable_security_net_exit,
147 };
148
149 static int __init iptable_security_init(void)
150 {
151 int ret;
152
153 ret = register_pernet_subsys(&iptable_security_net_ops);
154 if (ret < 0)
155 return ret;
156
157 ret = nf_register_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
158 if (ret < 0)
159 goto cleanup_table;
160
161 return ret;
162
163 cleanup_table:
164 unregister_pernet_subsys(&iptable_security_net_ops);
165 return ret;
166 }
167
168 static void __exit iptable_security_fini(void)
169 {
170 nf_unregister_hooks(ipt_ops, ARRAY_SIZE(ipt_ops));
171 unregister_pernet_subsys(&iptable_security_net_ops);
172 }
173
174 module_init(iptable_security_init);
175 module_exit(iptable_security_fini);
176
|
This page was automatically generated by the
LXR engine.
|