1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the Smack netfilter implementation 6 * 7 * Author: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * 10 * Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2014 Intel Corporation. 12 */ 13 14 #include <linux/netfilter_ipv4.h> 15 #include <linux/netfilter_ipv6.h> 16 #include <linux/netdevice.h> 17 #include <net/inet_sock.h> 18 #include <net/net_namespace.h> 19 #include "smack.h" 20 21 static unsigned int smack_ip_output(void *priv, 22 struct sk_buff *skb, 23 const struct nf_hook_state *state) 24 { 25 struct sock *sk = skb_to_full_sk(skb); 26 struct socket_smack *ssp; 27 struct smack_known *skp; 28 29 if (sk && sk->sk_security) { 30 ssp = sk->sk_security; 31 skp = ssp->smk_out; 32 skb->secmark = skp->smk_secid; 33 } 34 35 return NF_ACCEPT; 36 } 37 38 static const struct nf_hook_ops smack_nf_ops[] = { 39 { 40 .hook = smack_ip_output, 41 .pf = NFPROTO_IPV4, 42 .hooknum = NF_INET_LOCAL_OUT, 43 .priority = NF_IP_PRI_SELINUX_FIRST, 44 }, 45 #if IS_ENABLED(CONFIG_IPV6) 46 { 47 .hook = smack_ip_output, 48 .pf = NFPROTO_IPV6, 49 .hooknum = NF_INET_LOCAL_OUT, 50 .priority = NF_IP6_PRI_SELINUX_FIRST, 51 }, 52 #endif /* IPV6 */ 53 }; 54 55 static int __net_init smack_nf_register(struct net *net) 56 { 57 return nf_register_net_hooks(net, smack_nf_ops, 58 ARRAY_SIZE(smack_nf_ops)); 59 } 60 61 static void __net_exit smack_nf_unregister(struct net *net) 62 { 63 nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); 64 } 65 66 static struct pernet_operations smack_net_ops = { 67 .init = smack_nf_register, 68 .exit = smack_nf_unregister, 69 }; 70 71 static int __init smack_nf_ip_init(void) 72 { 73 if (smack_enabled == 0) 74 return 0; 75 76 printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); 77 return register_pernet_subsys(&smack_net_ops); 78 } 79 80 __initcall(smack_nf_ip_init); 81