Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / kernel / msm / 984bc16cc92ea3c247bf34ad667cfb95331b9d3c^! / . / net
commit984bc16cc92ea3c247bf34ad667cfb95331b9d3c[log] [tgz]
authorJames Morris <jmorris@namei.org>Fri Jun 09 00:29:17 2006 -0700
committerDavid S. Miller <davem@sunset.davemloft.net>Sat Jun 17 21:29:57 2006 -0700
tree2342638457f43980501179056f4ba1e4e3c2c1aa
parentc749b29fae74ed59c507d84025b3298202b42609 [diff]
[SECMARK]: Add secmark support to core networking.

Add a secmark field to the skbuff structure, to allow security subsystems to
place security markings on network packets.  This is similar to the nfmark
field, except is intended for implementing security policy, rather than than
networking policy.

This patch was already acked in principle by Dave Miller.

Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/Kconfig b/net/Kconfig
index ccadc8e..c6cec5a 100644
--- a/net/Kconfig
+++ b/net/Kconfig

@@ -66,6 +66,13 @@
 
 endif # if INET
 
+config NETWORK_SECMARK
+	bool "Security Marking"
+	help
+	  This enables security marking of network packets, similar
+	  to nfmark, but designated for security purposes.
+	  If you are unsure how to answer this question, answer N.
+
 menuconfig NETFILTER
 	bool "Network packet filtering (replaces ipchains)"
 	---help---

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index fb3770f..96cdcbe 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c

@@ -464,7 +464,7 @@
 	n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
 	C(input_dev);
 #endif
-
+	skb_copy_secmark(n, skb);
 #endif
 	C(truesize);
 	atomic_set(&n->users, 1);
@@ -526,6 +526,7 @@
 #endif
 	new->tc_index	= old->tc_index;
 #endif
+	skb_copy_secmark(new, old);
 	atomic_set(&new->users, 1);
 	skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;
 	skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index cff9c3a..d4bb3fa 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c

@@ -410,6 +410,7 @@
 	nf_bridge_get(to->nf_bridge);
 #endif
 #endif
+	skb_copy_secmark(to, from);
 }
 
 /*

diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 0bba3c2..431a3ce 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c

@@ -147,6 +147,7 @@
 	/* This packet will not be the same as the other: clear nf fields */
 	nf_reset(nskb);
 	nskb->nfmark = 0;
+	skb_init_secmark(nskb);
 
 	tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
 

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 416f6e4..d29620f 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c

@@ -459,6 +459,7 @@
 	nf_bridge_get(to->nf_bridge);
 #endif
 #endif
+	skb_copy_secmark(to, from);
 }
 
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)