iptable_security.c (2506B)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * "security" table 4 * 5 * This is for use by Mandatory Access Control (MAC) security models, 6 * which need to be able to manage security policy in separate context 7 * to DAC. 8 * 9 * Based on iptable_mangle.c 10 * 11 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling 12 * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org> 13 * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com> 14 */ 15#include <linux/module.h> 16#include <linux/netfilter_ipv4/ip_tables.h> 17#include <linux/slab.h> 18#include <net/ip.h> 19 20MODULE_LICENSE("GPL"); 21MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>"); 22MODULE_DESCRIPTION("iptables security table, for MAC rules"); 23 24#define SECURITY_VALID_HOOKS (1 << NF_INET_LOCAL_IN) | \ 25 (1 << NF_INET_FORWARD) | \ 26 (1 << NF_INET_LOCAL_OUT) 27 28static const struct xt_table security_table = { 29 .name = "security", 30 .valid_hooks = SECURITY_VALID_HOOKS, 31 .me = THIS_MODULE, 32 .af = NFPROTO_IPV4, 33 .priority = NF_IP_PRI_SECURITY, 34}; 35 36static struct nf_hook_ops *sectbl_ops __read_mostly; 37 38static int iptable_security_table_init(struct net *net) 39{ 40 struct ipt_replace *repl; 41 int ret; 42 43 repl = ipt_alloc_initial_table(&security_table); 44 if (repl == NULL) 45 return -ENOMEM; 46 ret = ipt_register_table(net, &security_table, repl, sectbl_ops); 47 kfree(repl); 48 return ret; 49} 50 51static void __net_exit iptable_security_net_pre_exit(struct net *net) 52{ 53 ipt_unregister_table_pre_exit(net, "security"); 54} 55 56static void __net_exit iptable_security_net_exit(struct net *net) 57{ 58 ipt_unregister_table_exit(net, "security"); 59} 60 61static struct pernet_operations iptable_security_net_ops = { 62 .pre_exit = iptable_security_net_pre_exit, 63 .exit = iptable_security_net_exit, 64}; 65 66static int __init iptable_security_init(void) 67{ 68 int ret = xt_register_template(&security_table, 69 iptable_security_table_init); 70 71 if (ret < 0) 72 return ret; 73 74 sectbl_ops = xt_hook_ops_alloc(&security_table, ipt_do_table); 75 if (IS_ERR(sectbl_ops)) { 76 xt_unregister_template(&security_table); 77 return PTR_ERR(sectbl_ops); 78 } 79 80 ret = register_pernet_subsys(&iptable_security_net_ops); 81 if (ret < 0) { 82 xt_unregister_template(&security_table); 83 kfree(sectbl_ops); 84 return ret; 85 } 86 87 return ret; 88} 89 90static void __exit iptable_security_fini(void) 91{ 92 unregister_pernet_subsys(&iptable_security_net_ops); 93 kfree(sectbl_ops); 94 xt_unregister_template(&security_table); 95} 96 97module_init(iptable_security_init); 98module_exit(iptable_security_fini);