1/*
2 *  Simplified MAC Kernel (smack) security module
3 *
4 *  This file contains the Smack netfilter implementation
5 *
6 *  Author:
7 *	Casey Schaufler <casey@schaufler-ca.com>
8 *
9 *  Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
10 *  Copyright (C) 2014 Intel Corporation.
11 *
12 *	This program is free software; you can redistribute it and/or modify
13 *	it under the terms of the GNU General Public License version 2,
14 *	as published by the Free Software Foundation.
15 */
16
17#include <linux/netfilter_ipv4.h>
18#include <linux/netfilter_ipv6.h>
19#include <linux/netdevice.h>
20#include <net/inet_sock.h>
21#include "smack.h"
22
23#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
24
25static unsigned int smack_ipv6_output(void *priv,
26					struct sk_buff *skb,
27					const struct nf_hook_state *state)
28{
29	struct sock *sk = skb_to_full_sk(skb);
30	struct socket_smack *ssp;
31	struct smack_known *skp;
32
33	if (sk && sk->sk_security) {
34		ssp = sk->sk_security;
35		skp = ssp->smk_out;
36		skb->secmark = skp->smk_secid;
37	}
38
39	return NF_ACCEPT;
40}
41#endif	/* IPV6 */
42
43static unsigned int smack_ipv4_output(void *priv,
44					struct sk_buff *skb,
45					const struct nf_hook_state *state)
46{
47	struct sock *sk = skb_to_full_sk(skb);
48	struct socket_smack *ssp;
49	struct smack_known *skp;
50
51	if (sk && sk->sk_security) {
52		ssp = sk->sk_security;
53		skp = ssp->smk_out;
54		skb->secmark = skp->smk_secid;
55	}
56
57	return NF_ACCEPT;
58}
59
60static struct nf_hook_ops smack_nf_ops[] = {
61	{
62		.hook =		smack_ipv4_output,
63		.pf =		NFPROTO_IPV4,
64		.hooknum =	NF_INET_LOCAL_OUT,
65		.priority =	NF_IP_PRI_SELINUX_FIRST,
66	},
67#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
68	{
69		.hook =		smack_ipv6_output,
70		.pf =		NFPROTO_IPV6,
71		.hooknum =	NF_INET_LOCAL_OUT,
72		.priority =	NF_IP6_PRI_SELINUX_FIRST,
73	},
74#endif	/* IPV6 */
75};
76
77static int __init smack_nf_ip_init(void)
78{
79	int err;
80
81	if (smack_enabled == 0)
82		return 0;
83
84	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
85
86	err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
87	if (err)
88		pr_info("Smack: nf_register_hooks: error %d\n", err);
89
90	return 0;
91}
92
93__initcall(smack_nf_ip_init);
94