diff options
| author | Roman Kubiak <r.kubiak@samsung.com> | 2015-06-16 18:14:47 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-30 17:30:09 +0200 |
| commit | 46912f1c18e01b63660a56ea7d9c572741e06117 (patch) | |
| tree | 5e86b54ba873569a4dd234665dcd445e6f9ade47 | |
| parent | 9783143905ddceb174dacd1ad94a13ae36bfc4ae (diff) | |
src: add security context information
This commit adds security context information structures
and functions.
This will allow userspace to find the security context of each
packet (if it exists) and make decisions based on that.
It should work for SELinux and SMACK.
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | include/libnetfilter_queue/libnetfilter_queue.h | 2 | ||||
| -rw-r--r-- | include/libnetfilter_queue/linux_nfnetlink_queue.h | 4 | ||||
| -rw-r--r-- | include/linux/netfilter/nfnetlink_queue.h | 4 | ||||
| -rw-r--r-- | src/libnetfilter_queue.c | 23 | ||||
| -rw-r--r-- | src/nlmsg.c | 1 | ||||
| -rw-r--r-- | utils/nfqnl_test.c | 12 |
6 files changed, 43 insertions, 3 deletions
diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h index bde7209..2e38411 100644 --- a/include/libnetfilter_queue/libnetfilter_queue.h +++ b/include/libnetfilter_queue/libnetfilter_queue.h @@ -105,6 +105,7 @@ extern uint32_t nfq_get_outdev(struct nfq_data *nfad); extern uint32_t nfq_get_physoutdev(struct nfq_data *nfad); extern int nfq_get_uid(struct nfq_data *nfad, uint32_t *uid); extern int nfq_get_gid(struct nfq_data *nfad, uint32_t *gid); +extern int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata); extern int nfq_get_indev_name(struct nlif_handle *nlif_handle, struct nfq_data *nfad, char *name); @@ -129,6 +130,7 @@ enum { NFQ_XML_TIME = (1 << 5), NFQ_XML_UID = (1 << 6), NFQ_XML_GID = (1 << 7), + NFQ_XML_SECCTX = (1 << 8), NFQ_XML_ALL = ~0U, }; diff --git a/include/libnetfilter_queue/linux_nfnetlink_queue.h b/include/libnetfilter_queue/linux_nfnetlink_queue.h index 5b6ae95..1975dfa 100644 --- a/include/libnetfilter_queue/linux_nfnetlink_queue.h +++ b/include/libnetfilter_queue/linux_nfnetlink_queue.h @@ -53,6 +53,7 @@ enum nfqnl_attr_type { NFQA_EXP, /* nf_conntrack_netlink.h */ NFQA_UID, /* __u32 sk uid */ NFQA_GID, /* __u32 sk gid */ + NFQA_SECCTX, /* security context string */ __NFQA_MAX }; @@ -106,7 +107,8 @@ enum nfqnl_attr_config { #define NFQA_CFG_F_CONNTRACK (1 << 1) #define NFQA_CFG_F_GSO (1 << 2) #define NFQA_CFG_F_UID_GID (1 << 3) -#define NFQA_CFG_F_MAX (1 << 4) +#define NFQA_CFG_F_SECCTX (1 << 4) +#define NFQA_CFG_F_MAX (1 << 5) /* flags for NFQA_SKB_INFO */ /* packet appears to have wrong checksums, but they are ok */ diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h index 22f5d45..030672d 100644 --- a/include/linux/netfilter/nfnetlink_queue.h +++ b/include/linux/netfilter/nfnetlink_queue.h @@ -49,6 +49,7 @@ enum nfqnl_attr_type { NFQA_EXP, /* nf_conntrack_netlink.h */ NFQA_UID, /* __u32 sk uid */ NFQA_GID, /* __u32 sk gid */ + NFQA_SECCTX, __NFQA_MAX }; @@ -102,7 +103,8 @@ enum nfqnl_attr_config { #define NFQA_CFG_F_CONNTRACK (1 << 1) #define NFQA_CFG_F_GSO (1 << 2) #define NFQA_CFG_F_UID_GID (1 << 3) -#define NFQA_CFG_F_MAX (1 << 4) +#define NFQA_CFG_F_SECCTX (1 << 4) +#define NFQA_CFG_F_MAX (1 << 5) /* flags for NFQA_SKB_INFO */ /* packet appears to have wrong checksums, but they are ok */ diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c index c9ed865..84184ee 100644 --- a/src/libnetfilter_queue.c +++ b/src/libnetfilter_queue.c @@ -1218,6 +1218,29 @@ int nfq_get_gid(struct nfq_data *nfad, uint32_t *gid) } EXPORT_SYMBOL(nfq_get_gid); + +/** + * nfq_get_secctx - get the security context for this packet + * \param nfad Netlink packet data handle passed to callback function + * \param secdata data to write the security context to + * + * \return -1 on error, otherwise > 0 + */ +int nfq_get_secctx(struct nfq_data *nfad, unsigned char **secdata) +{ + if (!nfnl_attr_present(nfad->data, NFQA_SECCTX)) + return -1; + + *secdata = (unsigned char *)nfnl_get_pointer_to_data(nfad->data, + NFQA_SECCTX, char); + + if (*secdata) + return NFA_PAYLOAD(nfad->data[NFQA_SECCTX-1]); + + return 0; +} +EXPORT_SYMBOL(nfq_get_secctx); + /** * nfq_get_payload - get payload * \param nfad Netlink packet data handle passed to callback function diff --git a/src/nlmsg.c b/src/nlmsg.c index aebdd5e..cabd8be 100644 --- a/src/nlmsg.c +++ b/src/nlmsg.c @@ -137,6 +137,7 @@ static int nfq_pkt_parse_attr_cb(const struct nlattr *attr, void *data) case NFQA_IFINDEX_PHYSOUTDEV: case NFQA_CAP_LEN: case NFQA_SKB_INFO: + case NFQA_SECCTX: case NFQA_UID: case NFQA_GID: if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) diff --git a/utils/nfqnl_test.c b/utils/nfqnl_test.c index b760cf0..5e76ffe 100644 --- a/utils/nfqnl_test.c +++ b/utils/nfqnl_test.c @@ -17,7 +17,7 @@ static uint32_t print_pkt (struct nfq_data *tb) struct nfqnl_msg_packet_hw *hwph; uint32_t mark, ifi, uid, gid; int ret; - unsigned char *data; + unsigned char *data, *secdata; ph = nfq_get_msg_packet_hdr(tb); if (ph) { @@ -61,6 +61,10 @@ static uint32_t print_pkt (struct nfq_data *tb) if (nfq_get_gid(tb, &gid)) printf("gid=%u ", gid); + ret = nfq_get_secctx(tb, &secdata); + if (ret > 0) + printf("secctx=\"%.*s\" ", ret, secdata); + ret = nfq_get_payload(tb, &data); if (ret >= 0) printf("payload_len=%d ", ret); @@ -134,6 +138,12 @@ int main(int argc, char **argv) "retrieve process UID/GID.\n"); } + printf("setting flags to request security context\n"); + if (nfq_set_queue_flags(qh, NFQA_CFG_F_SECCTX, NFQA_CFG_F_SECCTX)) { + fprintf(stderr, "This kernel version does not allow to " + "retrieve security context.\n"); + } + printf("Waiting for packets...\n"); fd = nfq_fd(h); |