RISC-V: replace cbom instructions with an insn-def

[linux.git] / net / netfilter / xt_SECMARK.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Module for modifying the secmark field of the skb, for use by
 * security subsystems.
 *
 * Based on the nfmark match by:
 * (C) 1999-2001 Marc Boucher <[email protected]>
 *
 * (C) 2006,2008 Red Hat, Inc., James Morris <[email protected]>
 */
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/security.h>
#include <linux/skbuff.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_SECMARK.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("James Morris <[email protected]>");
MODULE_DESCRIPTION("Xtables: packet security mark modification");
MODULE_ALIAS("ipt_SECMARK");
MODULE_ALIAS("ip6t_SECMARK");

static u8 mode;

static unsigned int
secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info)
{
        u32 secmark = 0;

        switch (mode) {
        case SECMARK_MODE_SEL:
                secmark = info->secid;
                break;
        default:
                BUG();
        }

        skb->secmark = secmark;
        return XT_CONTINUE;
}

static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
{
        int err;

        info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
        info->secid = 0;

        err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
                                       &info->secid);
        if (err) {
                if (err == -EINVAL)
                        pr_info_ratelimited("invalid security context \'%s\'\n",
                                            info->secctx);
                return err;
        }

        if (!info->secid) {
                pr_info_ratelimited("unable to map security context \'%s\'\n",
                                    info->secctx);
                return -ENOENT;
        }

        err = security_secmark_relabel_packet(info->secid);
        if (err) {
                pr_info_ratelimited("unable to obtain relabeling permission\n");
                return err;
        }

        security_secmark_refcount_inc();
        return 0;
}

static int
secmark_tg_check(const char *table, struct xt_secmark_target_info_v1 *info)
{
        int err;

        if (strcmp(table, "mangle") != 0 &&
            strcmp(table, "security") != 0) {
                pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
                                    table);
                return -EINVAL;
        }

        if (mode && mode != info->mode) {
                pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n",
                                    mode, info->mode);
                return -EINVAL;
        }

        switch (info->mode) {
        case SECMARK_MODE_SEL:
                break;
        default:
                pr_info_ratelimited("invalid mode: %hu\n", info->mode);
                return -EINVAL;
        }

        err = checkentry_lsm(info);
        if (err)
                return err;

        if (!mode)
                mode = info->mode;
        return 0;
}

static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
{
        switch (mode) {
        case SECMARK_MODE_SEL:
                security_secmark_refcount_dec();
        }
}

static int secmark_tg_check_v0(const struct xt_tgchk_param *par)
{
        struct xt_secmark_target_info *info = par->targinfo;
        struct xt_secmark_target_info_v1 newinfo = {
                .mode   = info->mode,
        };
        int ret;

        memcpy(newinfo.secctx, info->secctx, SECMARK_SECCTX_MAX);

        ret = secmark_tg_check(par->table, &newinfo);
        info->secid = newinfo.secid;

        return ret;
}

static unsigned int
secmark_tg_v0(struct sk_buff *skb, const struct xt_action_param *par)
{
        const struct xt_secmark_target_info *info = par->targinfo;
        struct xt_secmark_target_info_v1 newinfo = {
                .secid  = info->secid,
        };

        return secmark_tg(skb, &newinfo);
}

static int secmark_tg_check_v1(const struct xt_tgchk_param *par)
{
        return secmark_tg_check(par->table, par->targinfo);
}

static unsigned int
secmark_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
{
        return secmark_tg(skb, par->targinfo);
}

static struct xt_target secmark_tg_reg[] __read_mostly = {
        {
                .name           = "SECMARK",
                .revision       = 0,
                .family         = NFPROTO_UNSPEC,
                .checkentry     = secmark_tg_check_v0,
                .destroy        = secmark_tg_destroy,
                .target         = secmark_tg_v0,
                .targetsize     = sizeof(struct xt_secmark_target_info),
                .me             = THIS_MODULE,
        },
        {
                .name           = "SECMARK",
                .revision       = 1,
                .family         = NFPROTO_UNSPEC,
                .checkentry     = secmark_tg_check_v1,
                .destroy        = secmark_tg_destroy,
                .target         = secmark_tg_v1,
                .targetsize     = sizeof(struct xt_secmark_target_info_v1),
                .usersize       = offsetof(struct xt_secmark_target_info_v1, secid),
                .me             = THIS_MODULE,
        },
};

static int __init secmark_tg_init(void)
{
        return xt_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
}

static void __exit secmark_tg_exit(void)
{
        xt_unregister_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
}

module_init(secmark_tg_init);
module_exit(secmark_tg_exit);