From 46912f1c18e01b63660a56ea7d9c572741e06117 Mon Sep 17 00:00:00 2001 From: Roman Kubiak Date: Tue, 16 Jun 2015 18:14:47 +0200 Subject: src: add security context information This commit adds security context information structures and functions. This will allow userspace to find the security context of each packet (if it exists) and make decisions based on that. It should work for SELinux and SMACK. Signed-off-by: Roman Kubiak Signed-off-by: Pablo Neira Ayuso --- utils/nfqnl_test.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'utils') diff --git a/utils/nfqnl_test.c b/utils/nfqnl_test.c index b760cf0..5e76ffe 100644 --- a/utils/nfqnl_test.c +++ b/utils/nfqnl_test.c @@ -17,7 +17,7 @@ static uint32_t print_pkt (struct nfq_data *tb) struct nfqnl_msg_packet_hw *hwph; uint32_t mark, ifi, uid, gid; int ret; - unsigned char *data; + unsigned char *data, *secdata; ph = nfq_get_msg_packet_hdr(tb); if (ph) { @@ -61,6 +61,10 @@ static uint32_t print_pkt (struct nfq_data *tb) if (nfq_get_gid(tb, &gid)) printf("gid=%u ", gid); + ret = nfq_get_secctx(tb, &secdata); + if (ret > 0) + printf("secctx=\"%.*s\" ", ret, secdata); + ret = nfq_get_payload(tb, &data); if (ret >= 0) printf("payload_len=%d ", ret); @@ -134,6 +138,12 @@ int main(int argc, char **argv) "retrieve process UID/GID.\n"); } + printf("setting flags to request security context\n"); + if (nfq_set_queue_flags(qh, NFQA_CFG_F_SECCTX, NFQA_CFG_F_SECCTX)) { + fprintf(stderr, "This kernel version does not allow to " + "retrieve security context.\n"); + } + printf("Waiting for packets...\n"); fd = nfq_fd(h); -- cgit v1.2.3