LXR linux/security/smack/smack

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 *  Simplified MAC Kernel (smack) security module
   4 *
   5 *  This file contains the Smack netfilter implementation
   6 *
   7 *  Author:
   8 *      Casey Schaufler <casey@schaufler-ca.com>
   9 *
  10 *  Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
  11 *  Copyright (C) 2014 Intel Corporation.
  12 */
  13
  14#include <linux/netfilter_ipv4.h>
  15#include <linux/netfilter_ipv6.h>
  16#include <linux/netdevice.h>
  17#include <net/inet_sock.h>
  18#include <net/net_namespace.h>
  19#include "smack.h"
  20
  21#if IS_ENABLED(CONFIG_IPV6)
  22
  23static unsigned int smack_ipv6_output(void *priv,
  24                                        struct sk_buff *skb,
  25                                        const struct nf_hook_state *state)
  26{
  27        struct sock *sk = skb_to_full_sk(skb);
  28        struct socket_smack *ssp;
  29        struct smack_known *skp;
  30
  31        if (sk && sk->sk_security) {
  32                ssp = sk->sk_security;
  33                skp = ssp->smk_out;
  34                skb->secmark = skp->smk_secid;
  35        }
  36
  37        return NF_ACCEPT;
  38}
  39#endif  /* IPV6 */
  40
  41static unsigned int smack_ipv4_output(void *priv,
  42                                        struct sk_buff *skb,
  43                                        const struct nf_hook_state *state)
  44{
  45        struct sock *sk = skb_to_full_sk(skb);
  46        struct socket_smack *ssp;
  47        struct smack_known *skp;
  48
  49        if (sk && sk->sk_security) {
  50                ssp = sk->sk_security;
  51                skp = ssp->smk_out;
  52                skb->secmark = skp->smk_secid;
  53        }
  54
  55        return NF_ACCEPT;
  56}
  57
  58static const struct nf_hook_ops smack_nf_ops[] = {
  59        {
  60                .hook =         smack_ipv4_output,
  61                .pf =           NFPROTO_IPV4,
  62                .hooknum =      NF_INET_LOCAL_OUT,
  63                .priority =     NF_IP_PRI_SELINUX_FIRST,
  64        },
  65#if IS_ENABLED(CONFIG_IPV6)
  66        {
  67                .hook =         smack_ipv6_output,
  68                .pf =           NFPROTO_IPV6,
  69                .hooknum =      NF_INET_LOCAL_OUT,
  70                .priority =     NF_IP6_PRI_SELINUX_FIRST,
  71        },
  72#endif  /* IPV6 */
  73};
  74
  75static int __net_init smack_nf_register(struct net *net)
  76{
  77        return nf_register_net_hooks(net, smack_nf_ops,
  78                                     ARRAY_SIZE(smack_nf_ops));
  79}
  80
  81static void __net_exit smack_nf_unregister(struct net *net)
  82{
  83        nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
  84}
  85
  86static struct pernet_operations smack_net_ops = {
  87        .init = smack_nf_register,
  88        .exit = smack_nf_unregister,
  89};
  90
  91static int __init smack_nf_ip_init(void)
  92{
  93        if (smack_enabled == 0)
  94                return 0;
  95
  96        printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
  97        return register_pernet_subsys(&smack_net_ops);
  98}
  99
 100__initcall(smack_nf_ip_init);
 101