diff options
| author | Eric Paris <eparis@redhat.com> | 2010-10-13 16:24:54 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-10-20 19:12:51 -0400 |
| commit | 1cc63249adfa957b34ca51effdee90ff8261d63f (patch) | |
| tree | e5cf71ae9a2c43ca13b1820551df2aebbbd0d757 | |
| parent | d5630b9d276bd389299ffea620b7c340ab19bcf5 (diff) | |
conntrack: export lsm context rather than internal secid via netlink
The conntrack code can export the internal secid to userspace. These are
dynamic, can change on lsm changes, and have no meaning in userspace. We
should instead be sending lsm contexts to userspace instead. This patch sends
the secctx (rather than secid) to userspace over the netlink socket. We use a
new field CTA_SECCTX and stop using the the old CTA_SECMARK field since it did
not send particularly useful information.
Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Paul Moore <paul.moore@hp.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: James Morris <jmorris@namei.org>
| -rw-r--r-- | include/linux/netfilter/nfnetlink_conntrack.h | 10 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 46 |
2 files changed, 45 insertions, 11 deletions
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index 9ed534c991b9..70cd0603911c 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h | |||
| @@ -39,8 +39,9 @@ enum ctattr_type { | |||
| 39 | CTA_TUPLE_MASTER, | 39 | CTA_TUPLE_MASTER, |
| 40 | CTA_NAT_SEQ_ADJ_ORIG, | 40 | CTA_NAT_SEQ_ADJ_ORIG, |
| 41 | CTA_NAT_SEQ_ADJ_REPLY, | 41 | CTA_NAT_SEQ_ADJ_REPLY, |
| 42 | CTA_SECMARK, | 42 | CTA_SECMARK, /* obsolete */ |
| 43 | CTA_ZONE, | 43 | CTA_ZONE, |
| 44 | CTA_SECCTX, | ||
| 44 | __CTA_MAX | 45 | __CTA_MAX |
| 45 | }; | 46 | }; |
| 46 | #define CTA_MAX (__CTA_MAX - 1) | 47 | #define CTA_MAX (__CTA_MAX - 1) |
| @@ -172,4 +173,11 @@ enum ctattr_help { | |||
| 172 | }; | 173 | }; |
| 173 | #define CTA_HELP_MAX (__CTA_HELP_MAX - 1) | 174 | #define CTA_HELP_MAX (__CTA_HELP_MAX - 1) |
| 174 | 175 | ||
| 176 | enum ctattr_secctx { | ||
| 177 | CTA_SECCTX_UNSPEC, | ||
| 178 | CTA_SECCTX_NAME, | ||
| 179 | __CTA_SECCTX_MAX | ||
| 180 | }; | ||
| 181 | #define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1) | ||
| 182 | |||
| 175 | #endif /* _IPCONNTRACK_NETLINK_H */ | 183 | #endif /* _IPCONNTRACK_NETLINK_H */ |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 5bae1cd15eea..b3c628555cf3 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -22,6 +22,7 @@ | |||
| 22 | #include <linux/rculist_nulls.h> | 22 | #include <linux/rculist_nulls.h> |
| 23 | #include <linux/types.h> | 23 | #include <linux/types.h> |
| 24 | #include <linux/timer.h> | 24 | #include <linux/timer.h> |
| 25 | #include <linux/security.h> | ||
| 25 | #include <linux/skbuff.h> | 26 | #include <linux/skbuff.h> |
| 26 | #include <linux/errno.h> | 27 | #include <linux/errno.h> |
| 27 | #include <linux/netlink.h> | 28 | #include <linux/netlink.h> |
| @@ -245,16 +246,31 @@ nla_put_failure: | |||
| 245 | 246 | ||
| 246 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | 247 | #ifdef CONFIG_NF_CONNTRACK_SECMARK |
| 247 | static inline int | 248 | static inline int |
| 248 | ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct) | 249 | ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) |
| 249 | { | 250 | { |
| 250 | NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark)); | 251 | struct nlattr *nest_secctx; |
| 251 | return 0; | 252 | int len, ret; |
| 253 | char *secctx; | ||
| 254 | |||
| 255 | ret = security_secid_to_secctx(ct->secmark, &secctx, &len); | ||
| 256 | if (ret) | ||
| 257 | return ret; | ||
| 258 | |||
| 259 | ret = -1; | ||
| 260 | nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED); | ||
| 261 | if (!nest_secctx) | ||
| 262 | goto nla_put_failure; | ||
| 252 | 263 | ||
| 264 | NLA_PUT_STRING(skb, CTA_SECCTX_NAME, secctx); | ||
| 265 | nla_nest_end(skb, nest_secctx); | ||
| 266 | |||
| 267 | ret = 0; | ||
| 253 | nla_put_failure: | 268 | nla_put_failure: |
| 254 | return -1; | 269 | security_release_secctx(secctx, len); |
| 270 | return ret; | ||
| 255 | } | 271 | } |
| 256 | #else | 272 | #else |
| 257 | #define ctnetlink_dump_secmark(a, b) (0) | 273 | #define ctnetlink_dump_secctx(a, b) (0) |
| 258 | #endif | 274 | #endif |
| 259 | 275 | ||
| 260 | #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) | 276 | #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) |
| @@ -391,7 +407,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, | |||
| 391 | ctnetlink_dump_protoinfo(skb, ct) < 0 || | 407 | ctnetlink_dump_protoinfo(skb, ct) < 0 || |
| 392 | ctnetlink_dump_helpinfo(skb, ct) < 0 || | 408 | ctnetlink_dump_helpinfo(skb, ct) < 0 || |
| 393 | ctnetlink_dump_mark(skb, ct) < 0 || | 409 | ctnetlink_dump_mark(skb, ct) < 0 || |
| 394 | ctnetlink_dump_secmark(skb, ct) < 0 || | 410 | ctnetlink_dump_secctx(skb, ct) < 0 || |
| 395 | ctnetlink_dump_id(skb, ct) < 0 || | 411 | ctnetlink_dump_id(skb, ct) < 0 || |
| 396 | ctnetlink_dump_use(skb, ct) < 0 || | 412 | ctnetlink_dump_use(skb, ct) < 0 || |
| 397 | ctnetlink_dump_master(skb, ct) < 0 || | 413 | ctnetlink_dump_master(skb, ct) < 0 || |
| @@ -437,6 +453,17 @@ ctnetlink_counters_size(const struct nf_conn *ct) | |||
| 437 | ; | 453 | ; |
| 438 | } | 454 | } |
| 439 | 455 | ||
| 456 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 457 | static int ctnetlink_nlmsg_secctx_size(const struct nf_conn *ct) | ||
| 458 | { | ||
| 459 | int len; | ||
| 460 | |||
| 461 | security_secid_to_secctx(ct->secmark, NULL, &len); | ||
| 462 | |||
| 463 | return sizeof(char) * len; | ||
| 464 | } | ||
| 465 | #endif | ||
| 466 | |||
| 440 | static inline size_t | 467 | static inline size_t |
| 441 | ctnetlink_nlmsg_size(const struct nf_conn *ct) | 468 | ctnetlink_nlmsg_size(const struct nf_conn *ct) |
| 442 | { | 469 | { |
| @@ -453,7 +480,8 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct) | |||
| 453 | + nla_total_size(0) /* CTA_HELP */ | 480 | + nla_total_size(0) /* CTA_HELP */ |
| 454 | + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ | 481 | + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ |
| 455 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | 482 | #ifdef CONFIG_NF_CONNTRACK_SECMARK |
| 456 | + nla_total_size(sizeof(u_int32_t)) /* CTA_SECMARK */ | 483 | + nla_total_size(0) /* CTA_SECCTX */ |
| 484 | + nla_total_size(ctnetlink_nlmsg_secctx_size(ct)) /* CTA_SECCTX_NAME */ | ||
| 457 | #endif | 485 | #endif |
| 458 | #ifdef CONFIG_NF_NAT_NEEDED | 486 | #ifdef CONFIG_NF_NAT_NEEDED |
| 459 | + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ | 487 | + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ |
| @@ -554,11 +582,9 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) | |||
| 554 | && ctnetlink_dump_helpinfo(skb, ct) < 0) | 582 | && ctnetlink_dump_helpinfo(skb, ct) < 0) |
| 555 | goto nla_put_failure; | 583 | goto nla_put_failure; |
| 556 | 584 | ||
| 557 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 558 | if ((events & (1 << IPCT_SECMARK) || ct->secmark) | 585 | if ((events & (1 << IPCT_SECMARK) || ct->secmark) |
| 559 | && ctnetlink_dump_secmark(skb, ct) < 0) | 586 | && ctnetlink_dump_secctx(skb, ct) < 0) |
| 560 | goto nla_put_failure; | 587 | goto nla_put_failure; |
| 561 | #endif | ||
| 562 | 588 | ||
| 563 | if (events & (1 << IPCT_RELATED) && | 589 | if (events & (1 << IPCT_RELATED) && |
| 564 | ctnetlink_dump_master(skb, ct) < 0) | 590 | ctnetlink_dump_master(skb, ct) < 0) |