libxt_gradm: match packets based on status of grsecurity RBAC

This patch adds a module which is useful to users of grsecurity's RBAC
system. It matches packets based on whether RBAC is enabled or
disabled.

See: http://grsecurity.net/

Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu>
Jan Engelhardt> Also, I do not see a xt_gradm.c in this patch.

This [xt_gradm.c] is part of the grsecurity patch which not only adds
the Xtables code, but also the RBAC code. Without the entire RBAC
stuff, xt_gradm does not make sense and so it is included with the
grsecurity patch to the kernel, and not this patch to Xtables-addons.

>Can you elaborate a bit on how this is useful in conjunction with
>rulesets? I could imagine it be used with LSM selctx'es for example,
>or another extension that tests for other RBAC attributes.

The idea here is that when the RBAC rulesets are not being enforced,
the system is more vulnerable and the user wants stricter firewall
rules. When RBAC is being enforced, one can relax the firewall and
access to services which are now better protected. In practice this
usually means allowing only access to some trusted IP(s) on boot
before RBAC is turned on.

diff --git a/doc/changelog.txt b/doc/changelog.txt
index d00e3dddb1be2809934f5902296e6ae666f76573..5f3ffaf2648c865d2d990fa4c738f13c6d5487fb 100644 (file)
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -1,6 +1,8 @@
 
 HEAD
 ====
+- libxt_gradm: match packets based on status of grsecurity RBAC
+  (userspace part only - xt_gradm is in the grsec patch)
 
 
 v1.30 (October 02 2010)

diff --git a/extensions/Mbuild b/extensions/Mbuild
index f5aa137c12f9f504128b6dce7cca29053d1f5f6b..3e5557cfb72c3f252c96b55522169df7745d2d5c 100644 (file)
--- a/extensions/Mbuild
+++ b/extensions/Mbuild
@@ -25,3 +25,4 @@ obj-${build_lscan}       += libxt_lscan.so
 obj-${build_pknock}      += pknock/
 obj-${build_psd}         += libxt_psd.so
 obj-${build_quota2}      += libxt_quota2.so
+obj-${build_gradm}       += libxt_gradm.so

diff --git a/extensions/libxt_gradm.c b/extensions/libxt_gradm.c
new file mode 100644 (file)
index 0000000..dc9737a
--- /dev/null
+++ b/extensions/libxt_gradm.c
@@ -0,0 +1,98 @@
+/*
+ *     "gradm" match extension for iptables
+ *     Zbigniew Krzystolik <zbyniu@destrukcja.pl>, 2010
+ *
+ *     This program is free software; you can redistribute it and/or
+ *     modify it under the terms of the GNU General Public License;
+ *     either version 2 of the License, or any later version, as
+ *     published by the Free Software Foundation.
+ */
+#include <getopt.h>
+#include <netdb.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xtables.h>
+#include "xt_gradm.h"
+
+static void gradm_mt_help(void)
+{
+       printf(
+"gradm match options:\n"
+" [!] --enabled    is Grsecurity RBAC enabled\n"
+" [!] --disabled   is Grsecurity RBAC disabled\n");
+};
+
+static const struct option gradm_mt_opts[] = {
+       {.name = "enabled",  .has_arg = false, .val = '1'},
+       {.name = "disabled", .has_arg = false, .val = '2'},
+       {NULL},
+};
+
+static void gradm_mt_init(struct xt_entry_match *m)
+{
+}
+
+static int gradm_mt_parse(int c, char **argv, int invert, unsigned int *flags,
+                          const void *entry, struct xt_entry_match **match)
+{
+       struct xt_gradm_mtinfo *info = (void *)(*match)->data;
+
+       switch (c) {
+       case '1':
+               if (invert)
+                       info->invflags |= 1;
+               return true;
+       case '2':
+               if (!invert)
+                       info->invflags |= 1;
+               return true;
+       }
+       return false;
+}
+
+static void gradm_mt_check(unsigned int flags)
+{
+}
+
+static void gradm_mt_print(const void *ip, const struct xt_entry_match *match,
+                           int numeric)
+{
+       const struct xt_gradm_mtinfo *info = (const void *)match->data;
+
+       if (info->invflags)
+               printf("gradm: disabled");
+       else
+               printf("gradm: enabled");
+}
+
+static void gradm_mt_save(const void *ip, const struct xt_entry_match *match)
+{
+       const struct xt_gradm_mtinfo *info = (const void *)match->data;
+
+       if (info->invflags)
+               printf("--disabled ");
+       else
+               printf("--enabled ");
+}
+
+static struct xtables_match gradm_mt_reg = { 
+       .family        = NFPROTO_UNSPEC,
+       .name          = "gradm",
+       .version       = XTABLES_VERSION,
+       .size          = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
+       .userspacesize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
+       .help          = gradm_mt_help,
+       .init          = gradm_mt_init,
+       .parse         = gradm_mt_parse,
+       .final_check   = gradm_mt_check,
+       .print         = gradm_mt_print,
+       .save          = gradm_mt_save,
+       .extra_opts    = gradm_mt_opts,
+};
+
+static __attribute__((constructor)) void gradm_mt_ldr(void)
+{
+       xtables_register_match(&gradm_mt_reg);
+}

diff --git a/extensions/libxt_gradm.man b/extensions/libxt_gradm.man
new file mode 100644 (file)
index 0000000..154a4c4
--- /dev/null
+++ b/extensions/libxt_gradm.man
@@ -0,0 +1,7 @@
+This module matches packets based on grsecurity RBAC status.
+.TP
+[\fB!\fP] \fB\-\-enabled\fP
+Matches packets if grsecurity RBAC is enabled.
+.TP
+[\fB!\fP] \fB\-\-disabled\fP
+Matches packets if grsecurity RBAC is disabled.

diff --git a/extensions/xt_gradm.h b/extensions/xt_gradm.h
new file mode 100644 (file)
index 0000000..96aa447
--- /dev/null
+++ b/extensions/xt_gradm.h
@@ -0,0 +1,9 @@
+#ifndef _XT_GRADM_H
+#define _XT_GRADM_H
+
+struct xt_gradm_mtinfo {
+       __u16 flags;
+       __u16 invflags;
+};
+
+#endif

diff --git a/mconfig b/mconfig
index 6bfeb71fc59484170581cd6064b9f674b0578b08..717603bfb398973cfbc9c1109bae7febd61d89e2 100644 (file)
--- a/mconfig
+++ b/mconfig
@@ -16,6 +16,7 @@ build_TEE=
 build_condition=m
 build_fuzzy=m
 build_geoip=m
+build_gradm=m
 build_iface=m
 build_ipp2p=m
 build_ipset=m