~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/ipv4/netfilter/iptable_security.c

Version: ~ [ linux-5.4-rc7 ] ~ [ linux-5.3.11 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.84 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.154 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.201 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.201 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.77 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * "security" table
  3  *
  4  * This is for use by Mandatory Access Control (MAC) security models,
  5  * which need to be able to manage security policy in separate context
  6  * to DAC.
  7  *
  8  * Based on iptable_mangle.c
  9  *
 10  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
 11  * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org>
 12  * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com>
 13  *
 14  * This program is free software; you can redistribute it and/or modify
 15  * it under the terms of the GNU General Public License version 2 as
 16  * published by the Free Software Foundation.
 17  */
 18 #include <linux/module.h>
 19 #include <linux/netfilter_ipv4/ip_tables.h>
 20 #include <linux/slab.h>
 21 #include <net/ip.h>
 22 
 23 MODULE_LICENSE("GPL");
 24 MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
 25 MODULE_DESCRIPTION("iptables security table, for MAC rules");
 26 
 27 #define SECURITY_VALID_HOOKS    (1 << NF_INET_LOCAL_IN) | \
 28                                 (1 << NF_INET_FORWARD) | \
 29                                 (1 << NF_INET_LOCAL_OUT)
 30 
 31 static int __net_init iptable_security_table_init(struct net *net);
 32 
 33 static const struct xt_table security_table = {
 34         .name           = "security",
 35         .valid_hooks    = SECURITY_VALID_HOOKS,
 36         .me             = THIS_MODULE,
 37         .af             = NFPROTO_IPV4,
 38         .priority       = NF_IP_PRI_SECURITY,
 39         .table_init     = iptable_security_table_init,
 40 };
 41 
 42 static unsigned int
 43 iptable_security_hook(void *priv, struct sk_buff *skb,
 44                       const struct nf_hook_state *state)
 45 {
 46         if (state->hook == NF_INET_LOCAL_OUT &&
 47             (skb->len < sizeof(struct iphdr) ||
 48              ip_hdrlen(skb) < sizeof(struct iphdr)))
 49                 /* Somebody is playing with raw sockets. */
 50                 return NF_ACCEPT;
 51 
 52         return ipt_do_table(skb, state, state->net->ipv4.iptable_security);
 53 }
 54 
 55 static struct nf_hook_ops *sectbl_ops __read_mostly;
 56 
 57 static int __net_init iptable_security_table_init(struct net *net)
 58 {
 59         struct ipt_replace *repl;
 60         int ret;
 61 
 62         if (net->ipv4.iptable_security)
 63                 return 0;
 64 
 65         repl = ipt_alloc_initial_table(&security_table);
 66         if (repl == NULL)
 67                 return -ENOMEM;
 68         ret = ipt_register_table(net, &security_table, repl, sectbl_ops,
 69                                  &net->ipv4.iptable_security);
 70         kfree(repl);
 71         return ret;
 72 }
 73 
 74 static void __net_exit iptable_security_net_exit(struct net *net)
 75 {
 76         if (!net->ipv4.iptable_security)
 77                 return;
 78 
 79         ipt_unregister_table(net, net->ipv4.iptable_security, sectbl_ops);
 80         net->ipv4.iptable_security = NULL;
 81 }
 82 
 83 static struct pernet_operations iptable_security_net_ops = {
 84         .exit = iptable_security_net_exit,
 85 };
 86 
 87 static int __init iptable_security_init(void)
 88 {
 89         int ret;
 90 
 91         sectbl_ops = xt_hook_ops_alloc(&security_table, iptable_security_hook);
 92         if (IS_ERR(sectbl_ops))
 93                 return PTR_ERR(sectbl_ops);
 94 
 95         ret = register_pernet_subsys(&iptable_security_net_ops);
 96         if (ret < 0) {
 97                 kfree(sectbl_ops);
 98                 return ret;
 99         }
100 
101         ret = iptable_security_table_init(&init_net);
102         if (ret) {
103                 unregister_pernet_subsys(&iptable_security_net_ops);
104                 kfree(sectbl_ops);
105         }
106 
107         return ret;
108 }
109 
110 static void __exit iptable_security_fini(void)
111 {
112         unregister_pernet_subsys(&iptable_security_net_ops);
113         kfree(sectbl_ops);
114 }
115 
116 module_init(iptable_security_init);
117 module_exit(iptable_security_fini);
118 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp