root/security/smack/smack_netfilter.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. smack_ipv6_output
  2. smack_ipv4_output
  3. smack_nf_register
  4. smack_nf_unregister
  5. smack_nf_ip_init
   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  *  Simplified MAC Kernel (smack) security module
   4  *
   5  *  This file contains the Smack netfilter implementation
   6  *
   7  *  Author:
   8  *      Casey Schaufler <casey@schaufler-ca.com>
   9  *
  10  *  Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
  11  *  Copyright (C) 2014 Intel Corporation.
  12  */
  13 
  14 #include <linux/netfilter_ipv4.h>
  15 #include <linux/netfilter_ipv6.h>
  16 #include <linux/netdevice.h>
  17 #include <net/inet_sock.h>
  18 #include <net/net_namespace.h>
  19 #include "smack.h"
  20 
  21 #if IS_ENABLED(CONFIG_IPV6)
  22 
  23 static unsigned int smack_ipv6_output(void *priv,
  24                                         struct sk_buff *skb,
  25                                         const struct nf_hook_state *state)
  26 {
  27         struct sock *sk = skb_to_full_sk(skb);
  28         struct socket_smack *ssp;
  29         struct smack_known *skp;
  30 
  31         if (sk && sk->sk_security) {
  32                 ssp = sk->sk_security;
  33                 skp = ssp->smk_out;
  34                 skb->secmark = skp->smk_secid;
  35         }
  36 
  37         return NF_ACCEPT;
  38 }
  39 #endif  /* IPV6 */
  40 
  41 static unsigned int smack_ipv4_output(void *priv,
  42                                         struct sk_buff *skb,
  43                                         const struct nf_hook_state *state)
  44 {
  45         struct sock *sk = skb_to_full_sk(skb);
  46         struct socket_smack *ssp;
  47         struct smack_known *skp;
  48 
  49         if (sk && sk->sk_security) {
  50                 ssp = sk->sk_security;
  51                 skp = ssp->smk_out;
  52                 skb->secmark = skp->smk_secid;
  53         }
  54 
  55         return NF_ACCEPT;
  56 }
  57 
  58 static const struct nf_hook_ops smack_nf_ops[] = {
  59         {
  60                 .hook =         smack_ipv4_output,
  61                 .pf =           NFPROTO_IPV4,
  62                 .hooknum =      NF_INET_LOCAL_OUT,
  63                 .priority =     NF_IP_PRI_SELINUX_FIRST,
  64         },
  65 #if IS_ENABLED(CONFIG_IPV6)
  66         {
  67                 .hook =         smack_ipv6_output,
  68                 .pf =           NFPROTO_IPV6,
  69                 .hooknum =      NF_INET_LOCAL_OUT,
  70                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
  71         },
  72 #endif  /* IPV6 */
  73 };
  74 
  75 static int __net_init smack_nf_register(struct net *net)
  76 {
  77         return nf_register_net_hooks(net, smack_nf_ops,
  78                                      ARRAY_SIZE(smack_nf_ops));
  79 }
  80 
  81 static void __net_exit smack_nf_unregister(struct net *net)
  82 {
  83         nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
  84 }
  85 
  86 static struct pernet_operations smack_net_ops = {
  87         .init = smack_nf_register,
  88         .exit = smack_nf_unregister,
  89 };
  90 
  91 static int __init smack_nf_ip_init(void)
  92 {
  93         if (smack_enabled == 0)
  94                 return 0;
  95 
  96         printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
  97         return register_pernet_subsys(&smack_net_ops);
  98 }
  99 
 100 __initcall(smack_nf_ip_init);
/* [<][>][^][v][top][bottom][index][help] */