On Wed, 21 May 2008, Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
> > As for now we only support dumping. This patch adds support to change
> > the secmark from ctnetlink.
> >
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> >
> > Index: net-2.6.git/net/netfilter/nf_conntrack_netlink.c
> > ===================================================================
> > --- net-2.6.git.orig/net/netfilter/nf_conntrack_netlink.c 2008-05-20
> > 22:10:31.000000000 +0200
> > +++ net-2.6.git/net/netfilter/nf_conntrack_netlink.c 2008-05-20
> > 22:10:56.000000000 +0200
> > @@ -1121,6 +1121,11 @@ ctnetlink_change_conntrack(struct nf_con
> > ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
> > #endif
> >
> > +#if defined(CONFIG_NF_CONNTRACK_SECMARK)
> > + if (cda[CTA_SECMARK])
> > + ct->secmark = ntohl(nla_get_be32(cda[CTA_SECMARK]));
> > +#endif
> > +
> > #ifdef CONFIG_NF_NAT_NEEDED
> > if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
> > err = ctnetlink_change_nat_seq_adj(ct, cda);
>
> I'm wondering whether this isn't subverting the intent of
> secmark since AFAIK SELinux doesn't have finegrained
> controls for netlink messages. OTOH, it also doesn't have
> finegrained control over iptables rulesets.
>
> James, does this patch look OK to you?
There is some fine-grained netlink coverage, but it is incomplete (the
various generic netlink layers likely need to be consolidated first).
Currently, the SECMARK and CONNSECMARK targets call out to
selinux_secmark_relabel_packet_permission() when SELinux is active to
obtain a permission check. So, detection of the current security model
would need to be similarly performed.
The bigger issue perhaps is whether there's really a need to set secmark
via ctnetlink.
- James
--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
