security/smack/smack_netfilter.c at v5.5-rc3

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / security / smack / smack_netfilter.c
at v5.5-rc3 100 lines 2.2 kB view raw
wrap content
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 *  Simplified MAC Kernel (smack) security module
  4 *
  5 *  This file contains the Smack netfilter implementation
  6 *
  7 *  Author:
  8 *	Casey Schaufler <casey@schaufler-ca.com>
  9 *
 10 *  Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
 11 *  Copyright (C) 2014 Intel Corporation.
 12 */
 13
 14#include <linux/netfilter_ipv4.h>
 15#include <linux/netfilter_ipv6.h>
 16#include <linux/netdevice.h>
 17#include <net/inet_sock.h>
 18#include <net/net_namespace.h>
 19#include "smack.h"
 20
 21#if IS_ENABLED(CONFIG_IPV6)
 22
 23static unsigned int smack_ipv6_output(void *priv,
 24					struct sk_buff *skb,
 25					const struct nf_hook_state *state)
 26{
 27	struct sock *sk = skb_to_full_sk(skb);
 28	struct socket_smack *ssp;
 29	struct smack_known *skp;
 30
 31	if (sk && sk->sk_security) {
 32		ssp = sk->sk_security;
 33		skp = ssp->smk_out;
 34		skb->secmark = skp->smk_secid;
 35	}
 36
 37	return NF_ACCEPT;
 38}
 39#endif	/* IPV6 */
 40
 41static unsigned int smack_ipv4_output(void *priv,
 42					struct sk_buff *skb,
 43					const struct nf_hook_state *state)
 44{
 45	struct sock *sk = skb_to_full_sk(skb);
 46	struct socket_smack *ssp;
 47	struct smack_known *skp;
 48
 49	if (sk && sk->sk_security) {
 50		ssp = sk->sk_security;
 51		skp = ssp->smk_out;
 52		skb->secmark = skp->smk_secid;
 53	}
 54
 55	return NF_ACCEPT;
 56}
 57
 58static const struct nf_hook_ops smack_nf_ops[] = {
 59	{
 60		.hook =		smack_ipv4_output,
 61		.pf =		NFPROTO_IPV4,
 62		.hooknum =	NF_INET_LOCAL_OUT,
 63		.priority =	NF_IP_PRI_SELINUX_FIRST,
 64	},
 65#if IS_ENABLED(CONFIG_IPV6)
 66	{
 67		.hook =		smack_ipv6_output,
 68		.pf =		NFPROTO_IPV6,
 69		.hooknum =	NF_INET_LOCAL_OUT,
 70		.priority =	NF_IP6_PRI_SELINUX_FIRST,
 71	},
 72#endif	/* IPV6 */
 73};
 74
 75static int __net_init smack_nf_register(struct net *net)
 76{
 77	return nf_register_net_hooks(net, smack_nf_ops,
 78				     ARRAY_SIZE(smack_nf_ops));
 79}
 80
 81static void __net_exit smack_nf_unregister(struct net *net)
 82{
 83	nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
 84}
 85
 86static struct pernet_operations smack_net_ops = {
 87	.init = smack_nf_register,
 88	.exit = smack_nf_unregister,
 89};
 90
 91static int __init smack_nf_ip_init(void)
 92{
 93	if (smack_enabled == 0)
 94		return 0;
 95
 96	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
 97	return register_pernet_subsys(&smack_net_ops);
 98}
 99
100__initcall(smack_nf_ip_init);