Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
iptable_security.c
Go to the documentation of this file.
1 /*
2  * "security" table
3  *
4  * This is for use by Mandatory Access Control (MAC) security models,
5  * which need to be able to manage security policy in separate context
6  * to DAC.
7  *
8  * Based on iptable_mangle.c
9  *
10  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
11  * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org>
12  * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com>
13  *
14  * This program is free software; you can redistribute it and/or modify
15  * it under the terms of the GNU General Public License version 2 as
16  * published by the Free Software Foundation.
17  */
18 #include <linux/module.h>
19 #include <linux/netfilter_ipv4/ip_tables.h>
20 #include <linux/slab.h>
21 #include <net/ip.h>
22 
23 MODULE_LICENSE("GPL");
24 MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
25 MODULE_DESCRIPTION("iptables security table, for MAC rules");
26 
27 #define SECURITY_VALID_HOOKS (1 << NF_INET_LOCAL_IN) | \
28  (1 << NF_INET_FORWARD) | \
29  (1 << NF_INET_LOCAL_OUT)
30 
31 static const struct xt_table security_table = {
32  .name = "security",
33  .valid_hooks = SECURITY_VALID_HOOKS,
34  .me = THIS_MODULE,
35  .af = NFPROTO_IPV4,
36  .priority = NF_IP_PRI_SECURITY,
37 };
38 
39 static unsigned int
40 iptable_security_hook(unsigned int hook, struct sk_buff *skb,
41  const struct net_device *in,
42  const struct net_device *out,
43  int (*okfn)(struct sk_buff *))
44 {
45  const struct net *net;
46 
47  if (hook == NF_INET_LOCAL_OUT &&
48  (skb->len < sizeof(struct iphdr) ||
49  ip_hdrlen(skb) < sizeof(struct iphdr)))
50  /* Somebody is playing with raw sockets. */
51  return NF_ACCEPT;
52 
53  net = dev_net((in != NULL) ? in : out);
54  return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security);
55 }
56 
57 static struct nf_hook_ops *sectbl_ops __read_mostly;
58 
59 static int __net_init iptable_security_net_init(struct net *net)
60 {
61  struct ipt_replace *repl;
62 
63  repl = ipt_alloc_initial_table(&security_table);
64  if (repl == NULL)
65  return -ENOMEM;
66  net->ipv4.iptable_security =
67  ipt_register_table(net, &security_table, repl);
68  kfree(repl);
69  return PTR_RET(net->ipv4.iptable_security);
70 }
71 
72 static void __net_exit iptable_security_net_exit(struct net *net)
73 {
74  ipt_unregister_table(net, net->ipv4.iptable_security);
75 }
76 
77 static struct pernet_operations iptable_security_net_ops = {
78  .init = iptable_security_net_init,
79  .exit = iptable_security_net_exit,
80 };
81 
82 static int __init iptable_security_init(void)
83 {
84  int ret;
85 
86  ret = register_pernet_subsys(&iptable_security_net_ops);
87  if (ret < 0)
88  return ret;
89 
90  sectbl_ops = xt_hook_link(&security_table, iptable_security_hook);
91  if (IS_ERR(sectbl_ops)) {
92  ret = PTR_ERR(sectbl_ops);
93  goto cleanup_table;
94  }
95 
96  return ret;
97 
98 cleanup_table:
99  unregister_pernet_subsys(&iptable_security_net_ops);
100  return ret;
101 }
102 
103 static void __exit iptable_security_fini(void)
104 {
105  xt_hook_unlink(&security_table, sectbl_ops);
106  unregister_pernet_subsys(&iptable_security_net_ops);
107 }
108 
109 module_init(iptable_security_init);
110 module_exit(iptable_security_fini);