PageRenderTime 24ms CodeModel.GetById 11ms app.highlight 10ms RepoModel.GetById 1ms app.codeStats 0ms

/net/ipv6/netfilter/ip6table_security.c

http://github.com/mirrors/linux
C | 105 lines | 74 code | 17 blank | 14 comment | 7 complexity | 0835af5aa73492f772191744bad2736b MD5 | raw file
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * "security" table for IPv6
  4 *
  5 * This is for use by Mandatory Access Control (MAC) security models,
  6 * which need to be able to manage security policy in separate context
  7 * to DAC.
  8 *
  9 * Based on iptable_mangle.c
 10 *
 11 * Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
 12 * Copyright (C) 2000-2004 Netfilter Core Team <coreteam <at> netfilter.org>
 13 * Copyright (C) 2008 Red Hat, Inc., James Morris <jmorris <at> redhat.com>
 14 */
 15#include <linux/module.h>
 16#include <linux/netfilter_ipv6/ip6_tables.h>
 17#include <linux/slab.h>
 18
 19MODULE_LICENSE("GPL");
 20MODULE_AUTHOR("James Morris <jmorris <at> redhat.com>");
 21MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
 22
 23#define SECURITY_VALID_HOOKS	(1 << NF_INET_LOCAL_IN) | \
 24				(1 << NF_INET_FORWARD) | \
 25				(1 << NF_INET_LOCAL_OUT)
 26
 27static int __net_init ip6table_security_table_init(struct net *net);
 28
 29static const struct xt_table security_table = {
 30	.name		= "security",
 31	.valid_hooks	= SECURITY_VALID_HOOKS,
 32	.me		= THIS_MODULE,
 33	.af		= NFPROTO_IPV6,
 34	.priority	= NF_IP6_PRI_SECURITY,
 35	.table_init     = ip6table_security_table_init,
 36};
 37
 38static unsigned int
 39ip6table_security_hook(void *priv, struct sk_buff *skb,
 40		       const struct nf_hook_state *state)
 41{
 42	return ip6t_do_table(skb, state, state->net->ipv6.ip6table_security);
 43}
 44
 45static struct nf_hook_ops *sectbl_ops __read_mostly;
 46
 47static int __net_init ip6table_security_table_init(struct net *net)
 48{
 49	struct ip6t_replace *repl;
 50	int ret;
 51
 52	if (net->ipv6.ip6table_security)
 53		return 0;
 54
 55	repl = ip6t_alloc_initial_table(&security_table);
 56	if (repl == NULL)
 57		return -ENOMEM;
 58	ret = ip6t_register_table(net, &security_table, repl, sectbl_ops,
 59				  &net->ipv6.ip6table_security);
 60	kfree(repl);
 61	return ret;
 62}
 63
 64static void __net_exit ip6table_security_net_exit(struct net *net)
 65{
 66	if (!net->ipv6.ip6table_security)
 67		return;
 68	ip6t_unregister_table(net, net->ipv6.ip6table_security, sectbl_ops);
 69	net->ipv6.ip6table_security = NULL;
 70}
 71
 72static struct pernet_operations ip6table_security_net_ops = {
 73	.exit = ip6table_security_net_exit,
 74};
 75
 76static int __init ip6table_security_init(void)
 77{
 78	int ret;
 79
 80	sectbl_ops = xt_hook_ops_alloc(&security_table, ip6table_security_hook);
 81	if (IS_ERR(sectbl_ops))
 82		return PTR_ERR(sectbl_ops);
 83
 84	ret = register_pernet_subsys(&ip6table_security_net_ops);
 85	if (ret < 0) {
 86		kfree(sectbl_ops);
 87		return ret;
 88	}
 89
 90	ret = ip6table_security_table_init(&init_net);
 91	if (ret) {
 92		unregister_pernet_subsys(&ip6table_security_net_ops);
 93		kfree(sectbl_ops);
 94	}
 95	return ret;
 96}
 97
 98static void __exit ip6table_security_fini(void)
 99{
100	unregister_pernet_subsys(&ip6table_security_net_ops);
101	kfree(sectbl_ops);
102}
103
104module_init(ip6table_security_init);
105module_exit(ip6table_security_fini);