178 lines
5.3 KiB
Diff
178 lines
5.3 KiB
Diff
|
From 6415593af4223ea082e0086ec1088f0eacfbce78 Mon Sep 17 00:00:00 2001
|
||
|
From: Phil Sutter <phil@nwl.cc>
|
||
|
Date: Thu, 29 Apr 2021 15:28:59 +0200
|
||
|
Subject: [PATCH] extensions: SECMARK: Implement revision 1
|
||
|
|
||
|
The changed data structure for communication with kernel allows to
|
||
|
exclude the field 'secid' which is populated on kernel side. Thus
|
||
|
this fixes the formerly always failing extension comparison breaking
|
||
|
rule check and rule delete by content.
|
||
|
|
||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||
|
(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72)
|
||
|
---
|
||
|
extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++-------
|
||
|
extensions/libxt_SECMARK.t | 4 ++
|
||
|
include/linux/netfilter/xt_SECMARK.h | 6 ++
|
||
|
3 files changed, 80 insertions(+), 20 deletions(-)
|
||
|
create mode 100644 extensions/libxt_SECMARK.t
|
||
|
|
||
|
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
|
||
|
index 6ba8606355daa..24249bd618ffe 100644
|
||
|
--- a/extensions/libxt_SECMARK.c
|
||
|
+++ b/extensions/libxt_SECMARK.c
|
||
|
@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = {
|
||
|
XTOPT_TABLEEND,
|
||
|
};
|
||
|
|
||
|
+static const struct xt_option_entry SECMARK_opts_v1[] = {
|
||
|
+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
|
||
|
+ .flags = XTOPT_MAND | XTOPT_PUT,
|
||
|
+ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)},
|
||
|
+ XTOPT_TABLEEND,
|
||
|
+};
|
||
|
+
|
||
|
static void SECMARK_parse(struct xt_option_call *cb)
|
||
|
{
|
||
|
struct xt_secmark_target_info *info = cb->data;
|
||
|
@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb)
|
||
|
info->mode = SECMARK_MODE_SEL;
|
||
|
}
|
||
|
|
||
|
-static void print_secmark(const struct xt_secmark_target_info *info)
|
||
|
+static void SECMARK_parse_v1(struct xt_option_call *cb)
|
||
|
+{
|
||
|
+ struct xt_secmark_target_info_v1 *info = cb->data;
|
||
|
+
|
||
|
+ xtables_option_parse(cb);
|
||
|
+ info->mode = SECMARK_MODE_SEL;
|
||
|
+}
|
||
|
+
|
||
|
+static void print_secmark(__u8 mode, const char *secctx)
|
||
|
{
|
||
|
- switch (info->mode) {
|
||
|
+ switch (mode) {
|
||
|
case SECMARK_MODE_SEL:
|
||
|
- printf("selctx %s", info->secctx);
|
||
|
+ printf("selctx %s", secctx);
|
||
|
break;
|
||
|
-
|
||
|
+
|
||
|
default:
|
||
|
- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
|
||
|
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
|
||
|
(struct xt_secmark_target_info*)(target)->data;
|
||
|
|
||
|
printf(" SECMARK ");
|
||
|
- print_secmark(info);
|
||
|
+ print_secmark(info->mode, info->secctx);
|
||
|
+}
|
||
|
+
|
||
|
+static void SECMARK_print_v1(const void *ip,
|
||
|
+ const struct xt_entry_target *target, int numeric)
|
||
|
+{
|
||
|
+ const struct xt_secmark_target_info_v1 *info =
|
||
|
+ (struct xt_secmark_target_info_v1 *)(target)->data;
|
||
|
+
|
||
|
+ printf(" SECMARK ");
|
||
|
+ print_secmark(info->mode, info->secctx);
|
||
|
}
|
||
|
|
||
|
static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
||
|
@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
||
|
(struct xt_secmark_target_info*)target->data;
|
||
|
|
||
|
printf(" --");
|
||
|
- print_secmark(info);
|
||
|
+ print_secmark(info->mode, info->secctx);
|
||
|
}
|
||
|
|
||
|
-static struct xtables_target secmark_target = {
|
||
|
- .family = NFPROTO_UNSPEC,
|
||
|
- .name = "SECMARK",
|
||
|
- .version = XTABLES_VERSION,
|
||
|
- .revision = 0,
|
||
|
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||
|
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||
|
- .help = SECMARK_help,
|
||
|
- .print = SECMARK_print,
|
||
|
- .save = SECMARK_save,
|
||
|
- .x6_parse = SECMARK_parse,
|
||
|
- .x6_options = SECMARK_opts,
|
||
|
+static void SECMARK_save_v1(const void *ip,
|
||
|
+ const struct xt_entry_target *target)
|
||
|
+{
|
||
|
+ const struct xt_secmark_target_info_v1 *info =
|
||
|
+ (struct xt_secmark_target_info_v1 *)target->data;
|
||
|
+
|
||
|
+ printf(" --");
|
||
|
+ print_secmark(info->mode, info->secctx);
|
||
|
+}
|
||
|
+
|
||
|
+static struct xtables_target secmark_tg_reg[] = {
|
||
|
+ {
|
||
|
+ .family = NFPROTO_UNSPEC,
|
||
|
+ .name = "SECMARK",
|
||
|
+ .version = XTABLES_VERSION,
|
||
|
+ .revision = 0,
|
||
|
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||
|
+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||
|
+ .help = SECMARK_help,
|
||
|
+ .print = SECMARK_print,
|
||
|
+ .save = SECMARK_save,
|
||
|
+ .x6_parse = SECMARK_parse,
|
||
|
+ .x6_options = SECMARK_opts,
|
||
|
+ },
|
||
|
+ {
|
||
|
+ .family = NFPROTO_UNSPEC,
|
||
|
+ .name = "SECMARK",
|
||
|
+ .version = XTABLES_VERSION,
|
||
|
+ .revision = 1,
|
||
|
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)),
|
||
|
+ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)),
|
||
|
+ .help = SECMARK_help,
|
||
|
+ .print = SECMARK_print_v1,
|
||
|
+ .save = SECMARK_save_v1,
|
||
|
+ .x6_parse = SECMARK_parse_v1,
|
||
|
+ .x6_options = SECMARK_opts_v1,
|
||
|
+ }
|
||
|
};
|
||
|
|
||
|
void _init(void)
|
||
|
{
|
||
|
- xtables_register_target(&secmark_target);
|
||
|
+ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
|
||
|
}
|
||
|
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
||
|
new file mode 100644
|
||
|
index 0000000000000..39d4c09348bf4
|
||
|
--- /dev/null
|
||
|
+++ b/extensions/libxt_SECMARK.t
|
||
|
@@ -0,0 +1,4 @@
|
||
|
+:INPUT,FORWARD,OUTPUT
|
||
|
+*security
|
||
|
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
||
|
+-j SECMARK;;FAIL
|
||
|
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
|
||
|
index 989092bd6274b..31760a286a854 100644
|
||
|
--- a/include/linux/netfilter/xt_SECMARK.h
|
||
|
+++ b/include/linux/netfilter/xt_SECMARK.h
|
||
|
@@ -19,4 +19,10 @@ struct xt_secmark_target_info {
|
||
|
char secctx[SECMARK_SECCTX_MAX];
|
||
|
};
|
||
|
|
||
|
+struct xt_secmark_target_info_v1 {
|
||
|
+ __u8 mode;
|
||
|
+ char secctx[SECMARK_SECCTX_MAX];
|
||
|
+ __u32 secid;
|
||
|
+};
|
||
|
+
|
||
|
#endif /*_XT_SECMARK_H_target */
|
||
|
--
|
||
|
2.34.1
|
||
|
|