diff -purN -X dontdiff iptables-1.3.3-20051019.p/extensions/libipt_owner.c iptables-1.3.3-20051019.w/extensions/libipt_owner.c --- iptables-1.3.3-20051019.p/extensions/libipt_owner.c 2005-02-14 08:13:04.000000000 -0500 +++ iptables-1.3.3-20051019.w/extensions/libipt_owner.c 2005-10-22 23:53:49.000000000 -0400 @@ -8,6 +8,7 @@ #include #include +#include #include /* Function which prints out usage message. */ @@ -22,6 +23,7 @@ help(void) "[!] --pid-owner processid Match local pid\n" "[!] --sid-owner sessionid Match local sid\n" "[!] --cmd-owner name Match local command name\n" +"[!] --ctx-owner context Match SELinux security context (SELinux must be enabled in kernel)\n" "NOTE: pid, sid and command matching are broken on SMP\n" "\n", IPTABLES_VERSION); @@ -32,6 +34,7 @@ IPTABLES_VERSION); "[!] --gid-owner groupid Match local gid\n" "[!] --pid-owner processid Match local pid\n" "[!] --sid-owner sessionid Match local sid\n" +"[!] --ctx-owner context Match SELinux security context (SELinux must be enabled in kernel)\n" "NOTE: pid and sid matching are broken on SMP\n" "\n", IPTABLES_VERSION); @@ -46,6 +49,7 @@ static struct option opts[] = { #ifdef IPT_OWNER_COMM { "cmd-owner", 1, 0, '5' }, #endif + { "ctx-owner", 1, 0, '6' }, {0} }; @@ -131,6 +135,21 @@ parse(int c, char **argv, int invert, un break; #endif + case '6': + if (!is_selinux_enabled()) + exit_error(PARAMETER_PROBLEM, "OWNER CTX is invalid because SELinux is disabled in the kernel. Having a bad day?"); + + check_inverse(optarg, &invert, &optind, 0); + if(strlen(optarg) > sizeof(ownerinfo->ctx)) + exit_error(PARAMETER_PROBLEM, "OWNER CTX `%s' too long, max %u characters", optarg, (unsigned int)sizeof(ownerinfo->ctx)); + strncpy(ownerinfo->ctx, optarg, sizeof(ownerinfo->ctx)); + ownerinfo->ctx[sizeof(ownerinfo->ctx)-1] = '\0'; + if (invert) + ownerinfo->invert |= IPT_OWNER_CTX; + ownerinfo->match |= IPT_OWNER_CTX; + *flags = 1; + break; + default: return 0; } @@ -183,6 +202,9 @@ print_item(struct ipt_owner_info *info, printf("%.*s ", (int)sizeof(info->comm), info->comm); break; #endif + case IPT_OWNER_CTX: + printf("%.*s ", (int)sizeof(info->ctx), info->ctx); + break; default: break; } @@ -213,6 +235,7 @@ print(const struct ipt_ip *ip, #ifdef IPT_OWNER_COMM print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match "); #endif + print_item(info, IPT_OWNER_CTX, numeric, "OWNER CTX match "); } /* Saves the union ipt_matchinfo in parsable form to stdout. */ @@ -228,6 +251,7 @@ save(const struct ipt_ip *ip, const stru #ifdef IPT_OWNER_COMM print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner "); #endif + print_item(info, IPT_OWNER_CTX, 0, "--ctx-owner "); } static struct iptables_match owner = { diff -purN -X dontdiff iptables-1.3.3-20051019.p/extensions/Makefile iptables-1.3.3-20051019.w/extensions/Makefile --- iptables-1.3.3-20051019.p/extensions/Makefile 2005-10-22 21:34:41.000000000 -0400 +++ iptables-1.3.3-20051019.w/extensions/Makefile 2005-10-22 23:54:19.000000000 -0400 @@ -5,9 +5,9 @@ # header files are present in the include/linux directory of this iptables # package (HW) # -PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG +PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG PF6_EXT_SLIB:=eui64 hl icmpv6 length limit mac mark multiport owner physdev standard tcp udp HL NFQUEUE MARK TRACE -PF_EXT_SE_SLIB:=LOG +PF_EXT_SE_SLIB:=LOG owner PF6_EXT_SE_SLIB:=LOG # Optionals