James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 1 | /* |
| 2 | * "security" table for IPv6 |
| 3 | * |
| 4 | * This is for use by Mandatory Access Control (MAC) security models, |
| 5 | * which need to be able to manage security policy in separate context |
| 6 | * to DAC. |
| 7 | * |
| 8 | * Based on iptable_mangle.c |
| 9 | * |
| 10 | * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling |
| 11 | * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org> |
| 12 | * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com> |
| 13 | * |
| 14 | * This program is free software; you can redistribute it and/or modify |
| 15 | * it under the terms of the GNU General Public License version 2 as |
| 16 | * published by the Free Software Foundation. |
| 17 | */ |
| 18 | #include <linux/module.h> |
| 19 | #include <linux/netfilter_ipv6/ip6_tables.h> |
Tejun Heo | 5a0e3ad | 2010-03-24 17:04:11 +0900 | [diff] [blame] | 20 | #include <linux/slab.h> |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 21 | |
| 22 | MODULE_LICENSE("GPL"); |
| 23 | MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>"); |
| 24 | MODULE_DESCRIPTION("ip6tables security table, for MAC rules"); |
| 25 | |
| 26 | #define SECURITY_VALID_HOOKS (1 << NF_INET_LOCAL_IN) | \ |
| 27 | (1 << NF_INET_FORWARD) | \ |
| 28 | (1 << NF_INET_LOCAL_OUT) |
| 29 | |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 30 | static int __net_init ip6table_security_table_init(struct net *net); |
| 31 | |
Jan Engelhardt | 35aad0f | 2009-08-24 14:56:30 +0200 | [diff] [blame] | 32 | static const struct xt_table security_table = { |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 33 | .name = "security", |
| 34 | .valid_hooks = SECURITY_VALID_HOOKS, |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 35 | .me = THIS_MODULE, |
Jan Engelhardt | f88e6a8 | 2009-06-13 06:25:44 +0200 | [diff] [blame] | 36 | .af = NFPROTO_IPV6, |
Jan Engelhardt | 2b95efe | 2009-06-17 13:57:48 +0200 | [diff] [blame] | 37 | .priority = NF_IP6_PRI_SECURITY, |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 38 | .table_init = ip6table_security_table_init, |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 39 | }; |
| 40 | |
| 41 | static unsigned int |
Eric W. Biederman | 06198b3 | 2015-09-18 14:33:06 -0500 | [diff] [blame] | 42 | ip6table_security_hook(void *priv, struct sk_buff *skb, |
David S. Miller | 238e54c | 2015-04-03 20:32:56 -0400 | [diff] [blame] | 43 | const struct nf_hook_state *state) |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 44 | { |
Eric W. Biederman | 6cb8ff3f1 | 2015-09-18 14:32:55 -0500 | [diff] [blame] | 45 | return ip6t_do_table(skb, state, state->net->ipv6.ip6table_security); |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 46 | } |
| 47 | |
Jan Engelhardt | 2b95efe | 2009-06-17 13:57:48 +0200 | [diff] [blame] | 48 | static struct nf_hook_ops *sectbl_ops __read_mostly; |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 49 | |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 50 | static int __net_init ip6table_security_table_init(struct net *net) |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 51 | { |
Jan Engelhardt | e3eaa99 | 2009-06-17 22:14:54 +0200 | [diff] [blame] | 52 | struct ip6t_replace *repl; |
Florian Westphal | a67dd26 | 2016-02-25 10:08:35 +0100 | [diff] [blame] | 53 | int ret; |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 54 | |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 55 | if (net->ipv6.ip6table_security) |
| 56 | return 0; |
| 57 | |
Jan Engelhardt | e3eaa99 | 2009-06-17 22:14:54 +0200 | [diff] [blame] | 58 | repl = ip6t_alloc_initial_table(&security_table); |
| 59 | if (repl == NULL) |
| 60 | return -ENOMEM; |
Florian Westphal | a67dd26 | 2016-02-25 10:08:35 +0100 | [diff] [blame] | 61 | ret = ip6t_register_table(net, &security_table, repl, sectbl_ops, |
| 62 | &net->ipv6.ip6table_security); |
Jan Engelhardt | e3eaa99 | 2009-06-17 22:14:54 +0200 | [diff] [blame] | 63 | kfree(repl); |
Florian Westphal | a67dd26 | 2016-02-25 10:08:35 +0100 | [diff] [blame] | 64 | return ret; |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 65 | } |
| 66 | |
| 67 | static void __net_exit ip6table_security_net_exit(struct net *net) |
| 68 | { |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 69 | if (!net->ipv6.ip6table_security) |
| 70 | return; |
Florian Westphal | a67dd26 | 2016-02-25 10:08:35 +0100 | [diff] [blame] | 71 | ip6t_unregister_table(net, net->ipv6.ip6table_security, sectbl_ops); |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 72 | net->ipv6.ip6table_security = NULL; |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 73 | } |
| 74 | |
| 75 | static struct pernet_operations ip6table_security_net_ops = { |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 76 | .exit = ip6table_security_net_exit, |
| 77 | }; |
| 78 | |
| 79 | static int __init ip6table_security_init(void) |
| 80 | { |
| 81 | int ret; |
| 82 | |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 83 | sectbl_ops = xt_hook_ops_alloc(&security_table, ip6table_security_hook); |
| 84 | if (IS_ERR(sectbl_ops)) |
| 85 | return PTR_ERR(sectbl_ops); |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 86 | |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 87 | ret = register_pernet_subsys(&ip6table_security_net_ops); |
| 88 | if (ret < 0) { |
| 89 | kfree(sectbl_ops); |
| 90 | return ret; |
Jan Engelhardt | 2b95efe | 2009-06-17 13:57:48 +0200 | [diff] [blame] | 91 | } |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 92 | |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 93 | ret = ip6table_security_table_init(&init_net); |
| 94 | if (ret) { |
| 95 | unregister_pernet_subsys(&ip6table_security_net_ops); |
| 96 | kfree(sectbl_ops); |
| 97 | } |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 98 | return ret; |
| 99 | } |
| 100 | |
| 101 | static void __exit ip6table_security_fini(void) |
| 102 | { |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 103 | unregister_pernet_subsys(&ip6table_security_net_ops); |
Florian Westphal | b9e69e1 | 2016-02-25 10:08:36 +0100 | [diff] [blame] | 104 | kfree(sectbl_ops); |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 105 | } |
| 106 | |
| 107 | module_init(ip6table_security_init); |
| 108 | module_exit(ip6table_security_fini); |