|
|
926f74 |
From 3bd3af273ccfa550ed50ad19d4bcd04a29b88f5b Mon Sep 17 00:00:00 2001
|
|
|
926f74 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
926f74 |
Date: Thu, 29 Apr 2021 15:28:59 +0200
|
|
|
926f74 |
Subject: [PATCH] extensions: SECMARK: Implement revision 1
|
|
|
926f74 |
|
|
|
926f74 |
The changed data structure for communication with kernel allows to
|
|
|
926f74 |
exclude the field 'secid' which is populated on kernel side. Thus
|
|
|
926f74 |
this fixes the formerly always failing extension comparison breaking
|
|
|
926f74 |
rule check and rule delete by content.
|
|
|
926f74 |
|
|
|
926f74 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
926f74 |
(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72)
|
|
|
926f74 |
---
|
|
|
926f74 |
extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++-------
|
|
|
926f74 |
extensions/libxt_SECMARK.t | 4 ++
|
|
|
926f74 |
include/linux/netfilter/xt_SECMARK.h | 6 ++
|
|
|
926f74 |
3 files changed, 80 insertions(+), 20 deletions(-)
|
|
|
926f74 |
create mode 100644 extensions/libxt_SECMARK.t
|
|
|
926f74 |
|
|
|
926f74 |
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
|
|
|
926f74 |
index 6ba8606355daa..24249bd618ffe 100644
|
|
|
926f74 |
--- a/extensions/libxt_SECMARK.c
|
|
|
926f74 |
+++ b/extensions/libxt_SECMARK.c
|
|
|
926f74 |
@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = {
|
|
|
926f74 |
XTOPT_TABLEEND,
|
|
|
926f74 |
};
|
|
|
926f74 |
|
|
|
926f74 |
+static const struct xt_option_entry SECMARK_opts_v1[] = {
|
|
|
926f74 |
+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
|
|
|
926f74 |
+ .flags = XTOPT_MAND | XTOPT_PUT,
|
|
|
926f74 |
+ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)},
|
|
|
926f74 |
+ XTOPT_TABLEEND,
|
|
|
926f74 |
+};
|
|
|
926f74 |
+
|
|
|
926f74 |
static void SECMARK_parse(struct xt_option_call *cb)
|
|
|
926f74 |
{
|
|
|
926f74 |
struct xt_secmark_target_info *info = cb->data;
|
|
|
926f74 |
@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb)
|
|
|
926f74 |
info->mode = SECMARK_MODE_SEL;
|
|
|
926f74 |
}
|
|
|
926f74 |
|
|
|
926f74 |
-static void print_secmark(const struct xt_secmark_target_info *info)
|
|
|
926f74 |
+static void SECMARK_parse_v1(struct xt_option_call *cb)
|
|
|
926f74 |
+{
|
|
|
926f74 |
+ struct xt_secmark_target_info_v1 *info = cb->data;
|
|
|
926f74 |
+
|
|
|
926f74 |
+ xtables_option_parse(cb);
|
|
|
926f74 |
+ info->mode = SECMARK_MODE_SEL;
|
|
|
926f74 |
+}
|
|
|
926f74 |
+
|
|
|
926f74 |
+static void print_secmark(__u8 mode, const char *secctx)
|
|
|
926f74 |
{
|
|
|
926f74 |
- switch (info->mode) {
|
|
|
926f74 |
+ switch (mode) {
|
|
|
926f74 |
case SECMARK_MODE_SEL:
|
|
|
926f74 |
- printf("selctx %s", info->secctx);
|
|
|
926f74 |
+ printf("selctx %s", secctx);
|
|
|
926f74 |
break;
|
|
|
926f74 |
-
|
|
|
926f74 |
+
|
|
|
926f74 |
default:
|
|
|
926f74 |
- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
|
|
|
926f74 |
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode);
|
|
|
926f74 |
}
|
|
|
926f74 |
}
|
|
|
926f74 |
|
|
|
926f74 |
@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
|
|
|
926f74 |
(struct xt_secmark_target_info*)(target)->data;
|
|
|
926f74 |
|
|
|
926f74 |
printf(" SECMARK ");
|
|
|
926f74 |
- print_secmark(info);
|
|
|
926f74 |
+ print_secmark(info->mode, info->secctx);
|
|
|
926f74 |
+}
|
|
|
926f74 |
+
|
|
|
926f74 |
+static void SECMARK_print_v1(const void *ip,
|
|
|
926f74 |
+ const struct xt_entry_target *target, int numeric)
|
|
|
926f74 |
+{
|
|
|
926f74 |
+ const struct xt_secmark_target_info_v1 *info =
|
|
|
926f74 |
+ (struct xt_secmark_target_info_v1 *)(target)->data;
|
|
|
926f74 |
+
|
|
|
926f74 |
+ printf(" SECMARK ");
|
|
|
926f74 |
+ print_secmark(info->mode, info->secctx);
|
|
|
926f74 |
}
|
|
|
926f74 |
|
|
|
926f74 |
static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
|
|
926f74 |
@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
|
|
926f74 |
(struct xt_secmark_target_info*)target->data;
|
|
|
926f74 |
|
|
|
926f74 |
printf(" --");
|
|
|
926f74 |
- print_secmark(info);
|
|
|
926f74 |
+ print_secmark(info->mode, info->secctx);
|
|
|
926f74 |
}
|
|
|
926f74 |
|
|
|
926f74 |
-static struct xtables_target secmark_target = {
|
|
|
926f74 |
- .family = NFPROTO_UNSPEC,
|
|
|
926f74 |
- .name = "SECMARK",
|
|
|
926f74 |
- .version = XTABLES_VERSION,
|
|
|
926f74 |
- .revision = 0,
|
|
|
926f74 |
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
|
|
926f74 |
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
|
|
926f74 |
- .help = SECMARK_help,
|
|
|
926f74 |
- .print = SECMARK_print,
|
|
|
926f74 |
- .save = SECMARK_save,
|
|
|
926f74 |
- .x6_parse = SECMARK_parse,
|
|
|
926f74 |
- .x6_options = SECMARK_opts,
|
|
|
926f74 |
+static void SECMARK_save_v1(const void *ip,
|
|
|
926f74 |
+ const struct xt_entry_target *target)
|
|
|
926f74 |
+{
|
|
|
926f74 |
+ const struct xt_secmark_target_info_v1 *info =
|
|
|
926f74 |
+ (struct xt_secmark_target_info_v1 *)target->data;
|
|
|
926f74 |
+
|
|
|
926f74 |
+ printf(" --");
|
|
|
926f74 |
+ print_secmark(info->mode, info->secctx);
|
|
|
926f74 |
+}
|
|
|
926f74 |
+
|
|
|
926f74 |
+static struct xtables_target secmark_tg_reg[] = {
|
|
|
926f74 |
+ {
|
|
|
926f74 |
+ .family = NFPROTO_UNSPEC,
|
|
|
926f74 |
+ .name = "SECMARK",
|
|
|
926f74 |
+ .version = XTABLES_VERSION,
|
|
|
926f74 |
+ .revision = 0,
|
|
|
926f74 |
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
|
|
926f74 |
+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
|
|
926f74 |
+ .help = SECMARK_help,
|
|
|
926f74 |
+ .print = SECMARK_print,
|
|
|
926f74 |
+ .save = SECMARK_save,
|
|
|
926f74 |
+ .x6_parse = SECMARK_parse,
|
|
|
926f74 |
+ .x6_options = SECMARK_opts,
|
|
|
926f74 |
+ },
|
|
|
926f74 |
+ {
|
|
|
926f74 |
+ .family = NFPROTO_UNSPEC,
|
|
|
926f74 |
+ .name = "SECMARK",
|
|
|
926f74 |
+ .version = XTABLES_VERSION,
|
|
|
926f74 |
+ .revision = 1,
|
|
|
926f74 |
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)),
|
|
|
926f74 |
+ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)),
|
|
|
926f74 |
+ .help = SECMARK_help,
|
|
|
926f74 |
+ .print = SECMARK_print_v1,
|
|
|
926f74 |
+ .save = SECMARK_save_v1,
|
|
|
926f74 |
+ .x6_parse = SECMARK_parse_v1,
|
|
|
926f74 |
+ .x6_options = SECMARK_opts_v1,
|
|
|
926f74 |
+ }
|
|
|
926f74 |
};
|
|
|
926f74 |
|
|
|
926f74 |
void _init(void)
|
|
|
926f74 |
{
|
|
|
926f74 |
- xtables_register_target(&secmark_target);
|
|
|
926f74 |
+ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
|
|
|
926f74 |
}
|
|
|
926f74 |
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
|
|
926f74 |
new file mode 100644
|
|
|
926f74 |
index 0000000000000..39d4c09348bf4
|
|
|
926f74 |
--- /dev/null
|
|
|
926f74 |
+++ b/extensions/libxt_SECMARK.t
|
|
|
926f74 |
@@ -0,0 +1,4 @@
|
|
|
926f74 |
+:INPUT,FORWARD,OUTPUT
|
|
|
926f74 |
+*security
|
|
|
926f74 |
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
|
|
926f74 |
+-j SECMARK;;FAIL
|
|
|
926f74 |
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
|
|
|
926f74 |
index 989092bd6274b..31760a286a854 100644
|
|
|
926f74 |
--- a/include/linux/netfilter/xt_SECMARK.h
|
|
|
926f74 |
+++ b/include/linux/netfilter/xt_SECMARK.h
|
|
|
926f74 |
@@ -19,4 +19,10 @@ struct xt_secmark_target_info {
|
|
|
926f74 |
char secctx[SECMARK_SECCTX_MAX];
|
|
|
926f74 |
};
|
|
|
926f74 |
|
|
|
926f74 |
+struct xt_secmark_target_info_v1 {
|
|
|
926f74 |
+ __u8 mode;
|
|
|
926f74 |
+ char secctx[SECMARK_SECCTX_MAX];
|
|
|
926f74 |
+ __u32 secid;
|
|
|
926f74 |
+};
|
|
|
926f74 |
+
|
|
|
926f74 |
#endif /*_XT_SECMARK_H_target */
|
|
|
926f74 |
--
|
|
|
926f74 |
2.31.1
|
|
|
926f74 |
|