[RFC] IPv4 Netfilter hook priorities for SELinux

[RFC] IPv4 Netfilter hook priorities for SELinux

[James Morris]

SELinux needs to use some Netfilter hooks, and I'd like to propose the 
hook priorities below for the mainline kernel.

As SELinux is a mandatory access control system, it needs to be able to
look at packets before and after they may have been modified.  Two 
priorities are thus required.

The SELINUX_LAST priority is straightforward: this is after all mangling
and NAT has occurred.

The SELINUX_FIRST priority needs to be located before any packet
modification hooks, although it is also potentially useful if located
prior to conntrack so that SELinux has an opportunity to reject packets 
before they enter the conntrack code.

Does anyone have any objections to the patch below (which I'd propose for 
2.6.2), or other comments?


- James
-- 
James Morris
<jmorris@redhat.com>

diff -urN -X dontdiff linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h
--- linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h	2003-09-27 20:50:51.000000000 -0400
+++ linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h	2004-01-06 10:14:59.503138800 -0500
@@ -51,6 +51,7 @@
 
 enum nf_ip_hook_priorities {
 	NF_IP_PRI_FIRST = INT_MIN,
+	NF_IP_PRI_SELINUX_FIRST = -225,
 	NF_IP_PRI_CONNTRACK = -200,
 	NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
 	NF_IP_PRI_MANGLE = -150,
@@ -58,6 +59,7 @@
 	NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT = -50,
 	NF_IP_PRI_FILTER = 0,
 	NF_IP_PRI_NAT_SRC = 100,
+	NF_IP_PRI_SELINUX_LAST = 225,
 	NF_IP_PRI_LAST = INT_MAX,
 };
 

Re: [RFC] IPv4 Netfilter hook priorities for SELinux

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 686 bytes --]

On Tue, Jan 06, 2004 at 11:01:03AM -0500, James Morris wrote:
 
> Does anyone have any objections to the patch below (which I'd propose for 
> 2.6.2), or other comments?

Thanks James, I am perfectly fine with your patch.  Feel free to put
them into netfilter_arp.h and netfilter_ipv6.h, too.

> - James

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [RFC] IPv4 Netfilter hook priorities for SELinux

[James Morris]

On Tue, 6 Jan 2004, Harald Welte wrote:

> On Tue, Jan 06, 2004 at 11:01:03AM -0500, James Morris wrote:
>  
> > Does anyone have any objections to the patch below (which I'd propose for 
> > 2.6.2), or other comments?
> 
> Thanks James, I am perfectly fine with your patch.  Feel free to put
> them into netfilter_arp.h and netfilter_ipv6.h, too.

Ok, here is the patch with support for IPv4 and IPv6.  I've not added 
anything for ARP yet as SELinux does not have any ARP controls at this 
stage (and probably won't in the near future).

Please apply.


- James
-- 
James Morris
<jmorris@redhat.com>

diff -urN -X dontdiff linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h
--- linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h	2003-09-27 20:50:51.000000000 -0400
+++ linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h	2004-01-06 10:14:59.000000000 -0500
@@ -51,6 +51,7 @@
 
 enum nf_ip_hook_priorities {
 	NF_IP_PRI_FIRST = INT_MIN,
+	NF_IP_PRI_SELINUX_FIRST = -225,
 	NF_IP_PRI_CONNTRACK = -200,
 	NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
 	NF_IP_PRI_MANGLE = -150,
@@ -58,6 +59,7 @@
 	NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT = -50,
 	NF_IP_PRI_FILTER = 0,
 	NF_IP_PRI_NAT_SRC = 100,
+	NF_IP_PRI_SELINUX_LAST = 225,
 	NF_IP_PRI_LAST = INT_MAX,
 };
 
diff -urN -X dontdiff linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv6.h linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv6.h
--- linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv6.h	2003-09-27 20:50:51.000000000 -0400
+++ linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv6.h	2004-01-06 14:41:30.000000000 -0500
@@ -56,11 +56,13 @@
 
 enum nf_ip6_hook_priorities {
 	NF_IP6_PRI_FIRST = INT_MIN,
+	NF_IP6_PRI_SELINUX_FIRST = -225,
 	NF_IP6_PRI_CONNTRACK = -200,
 	NF_IP6_PRI_MANGLE = -150,
 	NF_IP6_PRI_NAT_DST = -100,
 	NF_IP6_PRI_FILTER = 0,
 	NF_IP6_PRI_NAT_SRC = 100,
+	NF_IP6_PRI_SELINUX_LAST = 225,
 	NF_IP6_PRI_LAST = INT_MAX,
 };
 

Re: [RFC] IPv4 Netfilter hook priorities for SELinux

[David S. Miller]

On Tue, 6 Jan 2004 15:05:10 -0500 (EST)
James Morris <jmorris@redhat.com> wrote:

> Ok, here is the patch with support for IPv4 and IPv6.  I've not added 
> anything for ARP yet as SELinux does not have any ARP controls at this 
> stage (and probably won't in the near future).
> 
> Please apply.

Applied, thanks guys.