root/net/ipv4/netfilter/iptable_security.c

DEFINITIONS

1. iptable_security_hook
2. iptable_security_table_init
3. iptable_security_net_exit
4. iptable_security_init
5. iptable_security_fini

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * "security" table
   4  *
   5  * This is for use by Mandatory Access Control (MAC) security models,
   6  * which need to be able to manage security policy in separate context
   7  * to DAC.
   8  *
   9  * Based on iptable_mangle.c
  10  *
  11  * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
  12  * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org>
  13  * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com>
  14  */
  15 #include <linux/module.h>
  16 #include <linux/netfilter_ipv4/ip_tables.h>
  17 #include <linux/slab.h>
  18 #include <net/ip.h>
  19 
  20 MODULE_LICENSE("GPL");
  21 MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
  22 MODULE_DESCRIPTION("iptables security table, for MAC rules");
  23 
  24 #define SECURITY_VALID_HOOKS    (1 << NF_INET_LOCAL_IN) | \
  25                                 (1 << NF_INET_FORWARD) | \
  26                                 (1 << NF_INET_LOCAL_OUT)
  27 
  28 static int __net_init iptable_security_table_init(struct net *net);
  29 
  30 static const struct xt_table security_table = {
  31         .name           = "security",
  32         .valid_hooks    = SECURITY_VALID_HOOKS,
  33         .me             = THIS_MODULE,
  34         .af             = NFPROTO_IPV4,
  35         .priority       = NF_IP_PRI_SECURITY,
  36         .table_init     = iptable_security_table_init,
  37 };
  38 
  39 static unsigned int
  40 iptable_security_hook(void *priv, struct sk_buff *skb,
  41                       const struct nf_hook_state *state)
  42 {
  43         return ipt_do_table(skb, state, state->net->ipv4.iptable_security);
  44 }
  45 
  46 static struct nf_hook_ops *sectbl_ops __read_mostly;
  47 
  48 static int __net_init iptable_security_table_init(struct net *net)
  49 {
  50         struct ipt_replace *repl;
  51         int ret;
  52 
  53         if (net->ipv4.iptable_security)
  54                 return 0;
  55 
  56         repl = ipt_alloc_initial_table(&security_table);
  57         if (repl == NULL)
  58                 return -ENOMEM;
  59         ret = ipt_register_table(net, &security_table, repl, sectbl_ops,
  60                                  &net->ipv4.iptable_security);
  61         kfree(repl);
  62         return ret;
  63 }
  64 
  65 static void __net_exit iptable_security_net_exit(struct net *net)
  66 {
  67         if (!net->ipv4.iptable_security)
  68                 return;
  69 
  70         ipt_unregister_table(net, net->ipv4.iptable_security, sectbl_ops);
  71         net->ipv4.iptable_security = NULL;
  72 }
  73 
  74 static struct pernet_operations iptable_security_net_ops = {
  75         .exit = iptable_security_net_exit,
  76 };
  77 
  78 static int __init iptable_security_init(void)
  79 {
  80         int ret;
  81 
  82         sectbl_ops = xt_hook_ops_alloc(&security_table, iptable_security_hook);
  83         if (IS_ERR(sectbl_ops))
  84                 return PTR_ERR(sectbl_ops);
  85 
  86         ret = register_pernet_subsys(&iptable_security_net_ops);
  87         if (ret < 0) {
  88                 kfree(sectbl_ops);
  89                 return ret;
  90         }
  91 
  92         ret = iptable_security_table_init(&init_net);
  93         if (ret) {
  94                 unregister_pernet_subsys(&iptable_security_net_ops);
  95                 kfree(sectbl_ops);
  96         }
  97 
  98         return ret;
  99 }
 100 
 101 static void __exit iptable_security_fini(void)
 102 {
 103         unregister_pernet_subsys(&iptable_security_net_ops);
 104         kfree(sectbl_ops);
 105 }
 106 
 107 module_init(iptable_security_init);
 108 module_exit(iptable_security_fini);