[SECMARK]: Add secmark support to core networking.

Add a secmark field to the skbuff structure, to allow security subsystems to place security markings on network packets. This is similar to the nfmark field, except is intended for implementing security policy, rather than than networking policy. This patch was already acked in principle by Dave Miller. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: James Morris <jmorris@namei.org> 2006-06-09 03:29:17 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-06-18 00:29:57 -0400
commit: 984bc16cc92ea3c247bf34ad667cfb95331b9d3c (patch)
tree: 2342638457f43980501179056f4ba1e4e3c2c1aa /net
parent: c749b29fae74ed59c507d84025b3298202b42609 (diff)
5 files changed, 12 insertions, 1 deletions
diff --git a/net/Kconfig b/net/Kconfig
index ccadc8e48152..c6cec5aa5486 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -66,6 +66,13 @@ source "net/ipv6/Kconfig"
 endif # if INET
+config NETWORK_SECMARK
+        bool "Security Marking"
+        help
+          This enables security marking of network packets, similar
+          to nfmark, but designated for security purposes.
+          If you are unsure how to answer this question, answer N.
 menuconfig NETFILTER
        bool "Network packet filtering (replaces ipchains)"
        ---help---
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index fb3770f9c094..96cdcbe24ba2 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -464,7 +464,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask)
        n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
        C(input_dev);
 #endif
+        skb_copy_secmark(n, skb);
 #endif
        C(truesize);
        atomic_set(&n->users, 1);
@@ -526,6 +526,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
 #endif
        new->tc_index   = old->tc_index;
 #endif
+        skb_copy_secmark(new, old);
        atomic_set(&new->users, 1);
        skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;
        skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index cff9c3a72daf..d4bb3fae4e49 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -410,6 +410,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        nf_bridge_get(to->nf_bridge);
 #endif
 #endif
+        skb_copy_secmark(to, from);
 }
 /*
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 0bba3c2bb786..431a3ce6f7b7 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -147,6 +147,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        /* This packet will not be the same as the other: clear nf fields */
        nf_reset(nskb);
        nskb->nfmark = 0;
+        skb_init_secmark(nskb);
        tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 416f6e428a0a..d29620f4910e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -459,6 +459,7 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        nf_bridge_get(to->nf_bridge);
 #endif
 #endif
+        skb_copy_secmark(to, from);
 }
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
author	James Morris <jmorris@namei.org>	2006-06-09 03:29:17 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-06-18 00:29:57 -0400
commit	984bc16cc92ea3c247bf34ad667cfb95331b9d3c (patch)
tree	2342638457f43980501179056f4ba1e4e3c2c1aa /net
parent	c749b29fae74ed59c507d84025b3298202b42609 (diff)

diff --git a/net/Kconfig b/net/Kconfig index ccadc8e48152..c6cec5aa5486 100644 --- a/net/Kconfig +++ b/net/Kconfig
@@ -66,6 +66,13 @@ source "net/ipv6/Kconfig"
66		66
67	endif # if INET	67	endif # if INET
68		68
		69	config NETWORK_SECMARK
		70	bool "Security Marking"
		71	help
		72	This enables security marking of network packets, similar
		73	to nfmark, but designated for security purposes.
		74	If you are unsure how to answer this question, answer N.
		75
69	menuconfig NETFILTER	76	menuconfig NETFILTER
70	bool "Network packet filtering (replaces ipchains)"	77	bool "Network packet filtering (replaces ipchains)"
71	---help---	78	---help---


diff --git a/net/core/skbuff.c b/net/core/skbuff.c index fb3770f9c094..96cdcbe24ba2 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c
@@ -464,7 +464,7 @@ struct sk_buff skb_clone(struct sk_buff skb, gfp_t gfp_mask)
464	n->tc_verd = CLR_TC_MUNGED(n->tc_verd);	464	n->tc_verd = CLR_TC_MUNGED(n->tc_verd);
465	C(input_dev);	465	C(input_dev);
466	#endif	466	#endif
467		467	skb_copy_secmark(n, skb);
468	#endif	468	#endif
469	C(truesize);	469	C(truesize);
470	atomic_set(&n->users, 1);	470	atomic_set(&n->users, 1);
@@ -526,6 +526,7 @@ static void copy_skb_header(struct sk_buff new, const struct sk_buff old)
526	#endif	526	#endif
527	new->tc_index = old->tc_index;	527	new->tc_index = old->tc_index;
528	#endif	528	#endif
		529	skb_copy_secmark(new, old);
529	atomic_set(&new->users, 1);	530	atomic_set(&new->users, 1);
530	skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;	531	skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;
531	skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;	532	skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;


diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index cff9c3a72daf..d4bb3fae4e49 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c
@@ -410,6 +410,7 @@ static void ip_copy_metadata(struct sk_buff to, struct sk_buff from)
410	nf_bridge_get(to->nf_bridge);	410	nf_bridge_get(to->nf_bridge);
411	#endif	411	#endif
412	#endif	412	#endif
		413	skb_copy_secmark(to, from);
413	}	414	}
414		415
415	/*	416	/*


diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index 0bba3c2bb786..431a3ce6f7b7 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -147,6 +147,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
147	/* This packet will not be the same as the other: clear nf fields */	147	/* This packet will not be the same as the other: clear nf fields */
148	nf_reset(nskb);	148	nf_reset(nskb);
149	nskb->nfmark = 0;	149	nskb->nfmark = 0;
		150	skb_init_secmark(nskb);
150		151
151	tcph = (struct tcphdr )((u_int32_t)nskb->nh.iph + nskb->nh.iph->ihl);	152	tcph = (struct tcphdr )((u_int32_t)nskb->nh.iph + nskb->nh.iph->ihl);
152		153


diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 416f6e428a0a..d29620f4910e 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c
@@ -459,6 +459,7 @@ static void ip6_copy_metadata(struct sk_buff to, struct sk_buff from)
459	nf_bridge_get(to->nf_bridge);	459	nf_bridge_get(to->nf_bridge);
460	#endif	460	#endif
461	#endif	461	#endif
		462	skb_copy_secmark(to, from);
462	}	463	}
463		464
464	int ip6_find_1stfragopt(struct sk_buff skb, u8 *nexthdr)	465	int ip6_find_1stfragopt(struct sk_buff skb, u8 *nexthdr)