smack_netfilter.c (1826B)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the Smack netfilter implementation 6 * 7 * Author: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * 10 * Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2014 Intel Corporation. 12 */ 13 14#include <linux/netfilter_ipv4.h> 15#include <linux/netfilter_ipv6.h> 16#include <linux/netdevice.h> 17#include <net/inet_sock.h> 18#include <net/net_namespace.h> 19#include "smack.h" 20 21static unsigned int smack_ip_output(void *priv, 22 struct sk_buff *skb, 23 const struct nf_hook_state *state) 24{ 25 struct sock *sk = skb_to_full_sk(skb); 26 struct socket_smack *ssp; 27 struct smack_known *skp; 28 29 if (sk && sk->sk_security) { 30 ssp = sk->sk_security; 31 skp = ssp->smk_out; 32 skb->secmark = skp->smk_secid; 33 } 34 35 return NF_ACCEPT; 36} 37 38static const struct nf_hook_ops smack_nf_ops[] = { 39 { 40 .hook = smack_ip_output, 41 .pf = NFPROTO_IPV4, 42 .hooknum = NF_INET_LOCAL_OUT, 43 .priority = NF_IP_PRI_SELINUX_FIRST, 44 }, 45#if IS_ENABLED(CONFIG_IPV6) 46 { 47 .hook = smack_ip_output, 48 .pf = NFPROTO_IPV6, 49 .hooknum = NF_INET_LOCAL_OUT, 50 .priority = NF_IP6_PRI_SELINUX_FIRST, 51 }, 52#endif /* IPV6 */ 53}; 54 55static int __net_init smack_nf_register(struct net *net) 56{ 57 return nf_register_net_hooks(net, smack_nf_ops, 58 ARRAY_SIZE(smack_nf_ops)); 59} 60 61static void __net_exit smack_nf_unregister(struct net *net) 62{ 63 nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); 64} 65 66static struct pernet_operations smack_net_ops = { 67 .init = smack_nf_register, 68 .exit = smack_nf_unregister, 69}; 70 71static int __init smack_nf_ip_init(void) 72{ 73 if (smack_enabled == 0) 74 return 0; 75 76 printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); 77 return register_pernet_subsys(&smack_net_ops); 78} 79 80__initcall(smack_nf_ip_init);