[SECMARK]: Add secmark support to core networking.

Add a secmark field to the skbuff structure, to allow security subsystems to place security markings on network packets. This is similar to the nfmark field, except is intended for implementing security policy, rather than than networking policy. This patch was already acked in principle by Dave Miller. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: James Morris <jmorris@namei.org> 2006-06-09 03:29:17 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-06-18 00:29:57 -0400
commit: 984bc16cc92ea3c247bf34ad667cfb95331b9d3c (patch)
tree: 2342638457f43980501179056f4ba1e4e3c2c1aa
parent: c749b29fae74ed59c507d84025b3298202b42609 (diff)
6 files changed, 34 insertions, 1 deletions
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 23bad3bf3c9d..fe2c58e5306f 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -210,6 +210,7 @@ enum {
 *      @nf_bridge: Saved data about a bridged frame - see br_netfilter.c
 *      @tc_index: Traffic control index
 *      @tc_verd: traffic control verdict
+ *      @secmark: security marking
 */
 struct sk_buff {
@@ -289,6 +290,9 @@ struct sk_buff {
 #ifdef CONFIG_NET_DMA
        dma_cookie_t            dma_cookie;
 #endif
+#ifdef CONFIG_NETWORK_SECMARK
+        __u32                   secmark;
+#endif
        /* These elements must be at the end, see alloc_skb() for details.  */
@@ -1400,5 +1404,23 @@ static inline void nf_reset(struct sk_buff *skb)
 static inline void nf_reset(struct sk_buff *skb) {}
 #endif /* CONFIG_NETFILTER */
+#ifdef CONFIG_NETWORK_SECMARK
+static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff *from)
+{
+        to->secmark = from->secmark;
+}
+static inline void skb_init_secmark(struct sk_buff *skb)
+{
+        skb->secmark = 0;
+}
+#else
+static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff *from)
+{ }
+static inline void skb_init_secmark(struct sk_buff *skb)
+{ }
+#endif
 #endif  /* __KERNEL__ */
 #endif  /* _LINUX_SKBUFF_H */
diff --git a/net/Kconfig b/net/Kconfig
index ccadc8e48152..c6cec5aa5486 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -66,6 +66,13 @@ source "net/ipv6/Kconfig"
 endif # if INET
+config NETWORK_SECMARK
+        bool "Security Marking"
+        help
+          This enables security marking of network packets, similar
+          to nfmark, but designated for security purposes.
+          If you are unsure how to answer this question, answer N.
 menuconfig NETFILTER
        bool "Network packet filtering (replaces ipchains)"
        ---help---
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index fb3770f9c094..96cdcbe24ba2 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -464,7 +464,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
        n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
        C(input_dev);
 #endif
+        skb_copy_secmark(n, skb);
 #endif
        C(truesize);
        atomic_set(&n->users, 1);
@@ -526,6 +526,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
 #endif
        new->tc_index   = old->tc_index;
 #endif
+        skb_copy_secmark(new, old);
        atomic_set(&new->users, 1);
        skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;
        skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index cff9c3a72daf..d4bb3fae4e49 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -410,6 +410,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        nf_bridge_get(to->nf_bridge);
 #endif
 #endif
+        skb_copy_secmark(to, from);
 }
 /*
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 0bba3c2bb786..431a3ce6f7b7 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -147,6 +147,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        /* This packet will not be the same as the other: clear nf fields */
        nf_reset(nskb);
        nskb->nfmark = 0;
+        skb_init_secmark(nskb);
        tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 416f6e428a0a..d29620f4910e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -459,6 +459,7 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        nf_bridge_get(to->nf_bridge);
 #endif
 #endif
+        skb_copy_secmark(to, from);
 }
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
author	James Morris <jmorris@namei.org>	2006-06-09 03:29:17 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-06-18 00:29:57 -0400
commit	984bc16cc92ea3c247bf34ad667cfb95331b9d3c (patch)
tree	2342638457f43980501179056f4ba1e4e3c2c1aa
parent	c749b29fae74ed59c507d84025b3298202b42609 (diff)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 23bad3bf3c9d..fe2c58e5306f 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h
@@ -210,6 +210,7 @@ enum {
210	* @nf_bridge: Saved data about a bridged frame - see br_netfilter.c	210	* @nf_bridge: Saved data about a bridged frame - see br_netfilter.c
211	* @tc_index: Traffic control index	211	* @tc_index: Traffic control index
212	* @tc_verd: traffic control verdict	212	* @tc_verd: traffic control verdict
		213	* @secmark: security marking
213	*/	214	*/
214		215
215	struct sk_buff {	216	struct sk_buff {
@@ -289,6 +290,9 @@ struct sk_buff {
289	#ifdef CONFIG_NET_DMA	290	#ifdef CONFIG_NET_DMA
290	dma_cookie_t dma_cookie;	291	dma_cookie_t dma_cookie;
291	#endif	292	#endif
		293	#ifdef CONFIG_NETWORK_SECMARK
		294	__u32 secmark;
		295	#endif
292		296
293		297
294	/* These elements must be at the end, see alloc_skb() for details. */	298	/* These elements must be at the end, see alloc_skb() for details. */
@@ -1400,5 +1404,23 @@ static inline void nf_reset(struct sk_buff *skb)
1400	static inline void nf_reset(struct sk_buff *skb) {}	1404	static inline void nf_reset(struct sk_buff *skb) {}
1401	#endif /* CONFIG_NETFILTER */	1405	#endif /* CONFIG_NETFILTER */
1402		1406
		1407	#ifdef CONFIG_NETWORK_SECMARK
		1408	static inline void skb_copy_secmark(struct sk_buff to, const struct sk_buff from)
		1409	{
		1410	to->secmark = from->secmark;
		1411	}
		1412
		1413	static inline void skb_init_secmark(struct sk_buff *skb)
		1414	{
		1415	skb->secmark = 0;
		1416	}
		1417	#else
		1418	static inline void skb_copy_secmark(struct sk_buff to, const struct sk_buff from)
		1419	{ }
		1420
		1421	static inline void skb_init_secmark(struct sk_buff *skb)
		1422	{ }
		1423	#endif
		1424
1403	#endif /* __KERNEL__ */	1425	#endif /* __KERNEL__ */
1404	#endif /* _LINUX_SKBUFF_H */	1426	#endif /* _LINUX_SKBUFF_H */


diff --git a/net/Kconfig b/net/Kconfig index ccadc8e48152..c6cec5aa5486 100644 --- a/net/Kconfig +++ b/net/Kconfig
@@ -66,6 +66,13 @@ source "net/ipv6/Kconfig"
66		66
67	endif # if INET	67	endif # if INET
68		68
		69	config NETWORK_SECMARK
		70	bool "Security Marking"
		71	help
		72	This enables security marking of network packets, similar
		73	to nfmark, but designated for security purposes.
		74	If you are unsure how to answer this question, answer N.
		75
69	menuconfig NETFILTER	76	menuconfig NETFILTER
70	bool "Network packet filtering (replaces ipchains)"	77	bool "Network packet filtering (replaces ipchains)"
71	---help---	78	---help---


diff --git a/net/core/skbuff.c b/net/core/skbuff.c index fb3770f9c094..96cdcbe24ba2 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c
@@ -464,7 +464,7 @@ struct sk_buff skb_clone(struct sk_buff skb, gfp_t gfp_mask)
464	n->tc_verd = CLR_TC_MUNGED(n->tc_verd);	464	n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
465	C(input_dev);	465	C(input_dev);
466	#endif	466	#endif
467		467	skb_copy_secmark(n, skb);
468	#endif	468	#endif
469	C(truesize);	469	C(truesize);
470	atomic_set(&n->users, 1);	470	atomic_set(&n->users, 1);
@@ -526,6 +526,7 @@ static void copy_skb_header(struct sk_buff new, const struct sk_buff old)
526	#endif	526	#endif
527	new->tc_index = old->tc_index;	527	new->tc_index = old->tc_index;
528	#endif	528	#endif
		529	skb_copy_secmark(new, old);
529	atomic_set(&new->users, 1);	530	atomic_set(&new->users, 1);
530	skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;	531	skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;
531	skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;	532	skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;


diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index cff9c3a72daf..d4bb3fae4e49 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c
@@ -410,6 +410,7 @@ static void ip_copy_metadata(struct sk_buff to, struct sk_buff from)
410	nf_bridge_get(to->nf_bridge);	410	nf_bridge_get(to->nf_bridge);
411	#endif	411	#endif
412	#endif	412	#endif
		413	skb_copy_secmark(to, from);
413	}	414	}
414		415
415	/*	416	/*


diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index 0bba3c2bb786..431a3ce6f7b7 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -147,6 +147,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
147	/* This packet will not be the same as the other: clear nf fields */	147	/* This packet will not be the same as the other: clear nf fields */
148	nf_reset(nskb);	148	nf_reset(nskb);
149	nskb->nfmark = 0;	149	nskb->nfmark = 0;
		150	skb_init_secmark(nskb);
150		151
151	tcph = (struct tcphdr )((u_int32_t)nskb->nh.iph + nskb->nh.iph->ihl);	152	tcph = (struct tcphdr )((u_int32_t)nskb->nh.iph + nskb->nh.iph->ihl);
152		153


diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 416f6e428a0a..d29620f4910e 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c
@@ -459,6 +459,7 @@ static void ip6_copy_metadata(struct sk_buff to, struct sk_buff from)
459	nf_bridge_get(to->nf_bridge);	459	nf_bridge_get(to->nf_bridge);
460	#endif	460	#endif
461	#endif	461	#endif
		462	skb_copy_secmark(to, from);
462	}	463	}
463		464
464	int ip6_find_1stfragopt(struct sk_buff skb, u8 *nexthdr)	465	int ip6_find_1stfragopt(struct sk_buff skb, u8 *nexthdr)