Commit 984bc16c authored by James Morris's avatar James Morris Committed by David S. Miller
Browse files

[SECMARK]: Add secmark support to core networking. 



Add a secmark field to the skbuff structure, to allow security subsystems to
place security markings on network packets.  This is similar to the nfmark
field, except is intended for implementing security policy, rather than than
networking policy.

This patch was already acked in principle by Dave Miller.

Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c749b29f

include/linux/skbuff.h

+22 −0
Original line number Diff line number Diff line
@@ -210,6 +210,7 @@ enum { 
 *	@nf_bridge: Saved data about a bridged frame - see br_netfilter.c

 *	@tc_index: Traffic control index

 *	@tc_verd: traffic control verdict

 *	@secmark: security marking

 */



struct sk_buff {
@@ -289,6 +290,9 @@ struct sk_buff { 
#ifdef CONFIG_NET_DMA

	dma_cookie_t		dma_cookie;

#endif

#ifdef CONFIG_NETWORK_SECMARK

	__u32			secmark;

#endif





	/* These elements must be at the end, see alloc_skb() for details.  */
@@ -1400,5 +1404,23 @@ static inline void nf_reset(struct sk_buff *skb) 
static inline void nf_reset(struct sk_buff *skb) {}

#endif /* CONFIG_NETFILTER */



#ifdef CONFIG_NETWORK_SECMARK

static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff *from)

{

	to->secmark = from->secmark;

}



static inline void skb_init_secmark(struct sk_buff *skb)

{

	skb->secmark = 0;

}

#else

static inline void skb_copy_secmark(struct sk_buff *to, const struct sk_buff *from)

{ }



static inline void skb_init_secmark(struct sk_buff *skb)

{ }

#endif



#endif	/* __KERNEL__ */

#endif	/* _LINUX_SKBUFF_H */

net/Kconfig

+7 −0
Original line number Diff line number Diff line
@@ -66,6 +66,13 @@ source "net/ipv6/Kconfig" 


endif # if INET



config NETWORK_SECMARK

	bool "Security Marking"

	help

	  This enables security marking of network packets, similar

	  to nfmark, but designated for security purposes.

	  If you are unsure how to answer this question, answer N.



menuconfig NETFILTER

	bool "Network packet filtering (replaces ipchains)"

	---help---

net/core/skbuff.c

+2 −1
Original line number Diff line number Diff line
@@ -464,7 +464,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, gfp_t gfp_mask) 
	n->tc_verd = CLR_TC_MUNGED(n->tc_verd);

	C(input_dev);

#endif



	skb_copy_secmark(n, skb);

#endif

	C(truesize);

	atomic_set(&n->users, 1);
@@ -526,6 +526,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old) 
#endif

	new->tc_index	= old->tc_index;

#endif

	skb_copy_secmark(new, old);

	atomic_set(&new->users, 1);

	skb_shinfo(new)->tso_size = skb_shinfo(old)->tso_size;

	skb_shinfo(new)->tso_segs = skb_shinfo(old)->tso_segs;

net/ipv4/ip_output.c

+1 −0
Original line number Diff line number Diff line
@@ -410,6 +410,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from) 
	nf_bridge_get(to->nf_bridge);

#endif

#endif

	skb_copy_secmark(to, from);

}



/*

net/ipv4/netfilter/ipt_REJECT.c

+1 −0
Original line number Diff line number Diff line
@@ -147,6 +147,7 @@ static void send_reset(struct sk_buff *oldskb, int hook) 
	/* This packet will not be the same as the other: clear nf fields */

	nf_reset(nskb);

	nskb->nfmark = 0;

	skb_init_secmark(nskb);



	tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);

CRA Git | Maintained and supported by SUSTech CRA and CCSE