LXR linux/security/smack/smack

   1/*
   2 *  Simplified MAC Kernel (smack) security module
   3 *
   4 *  This file contains the Smack netfilter implementation
   5 *
   6 *  Author:
   7 *      Casey Schaufler <casey@schaufler-ca.com>
   8 *
   9 *  Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
  10 *  Copyright (C) 2014 Intel Corporation.
  11 *
  12 *      This program is free software; you can redistribute it and/or modify
  13 *      it under the terms of the GNU General Public License version 2,
  14 *      as published by the Free Software Foundation.
  15 */
  16
  17#include <linux/netfilter_ipv4.h>
  18#include <linux/netfilter_ipv6.h>
  19#include <linux/netdevice.h>
  20#include <net/inet_sock.h>
  21#include "smack.h"
  22
  23#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
  24
  25static unsigned int smack_ipv6_output(void *priv,
  26                                        struct sk_buff *skb,
  27                                        const struct nf_hook_state *state)
  28{
  29        struct sock *sk = skb_to_full_sk(skb);
  30        struct socket_smack *ssp;
  31        struct smack_known *skp;
  32
  33        if (sk && sk->sk_security) {
  34                ssp = sk->sk_security;
  35                skp = ssp->smk_out;
  36                skb->secmark = skp->smk_secid;
  37        }
  38
  39        return NF_ACCEPT;
  40}
  41#endif  /* IPV6 */
  42
  43static unsigned int smack_ipv4_output(void *priv,
  44                                        struct sk_buff *skb,
  45                                        const struct nf_hook_state *state)
  46{
  47        struct sock *sk = skb_to_full_sk(skb);
  48        struct socket_smack *ssp;
  49        struct smack_known *skp;
  50
  51        if (sk && sk->sk_security) {
  52                ssp = sk->sk_security;
  53                skp = ssp->smk_out;
  54                skb->secmark = skp->smk_secid;
  55        }
  56
  57        return NF_ACCEPT;
  58}
  59
  60static struct nf_hook_ops smack_nf_ops[] = {
  61        {
  62                .hook =         smack_ipv4_output,
  63                .pf =           NFPROTO_IPV4,
  64                .hooknum =      NF_INET_LOCAL_OUT,
  65                .priority =     NF_IP_PRI_SELINUX_FIRST,
  66        },
  67#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
  68        {
  69                .hook =         smack_ipv6_output,
  70                .pf =           NFPROTO_IPV6,
  71                .hooknum =      NF_INET_LOCAL_OUT,
  72                .priority =     NF_IP6_PRI_SELINUX_FIRST,
  73        },
  74#endif  /* IPV6 */
  75};
  76
  77static int __init smack_nf_ip_init(void)
  78{
  79        int err;
  80
  81        if (smack_enabled == 0)
  82                return 0;
  83
  84        printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
  85
  86        err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
  87        if (err)
  88                pr_info("Smack: nf_register_hooks: error %d\n", err);
  89
  90        return 0;
  91}
  92
  93__initcall(smack_nf_ip_init);
  94