1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the Smack netfilter implementation 6 * 7 * Author: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * 10 * Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2014 Intel Corporation. 12 */ 13 14 #include <linux/netfilter_ipv4.h> 15 #include <linux/netfilter_ipv6.h> 16 #include <linux/netdevice.h> 17 #include <net/inet_sock.h> 18 #include <net/net_namespace.h> 19 #include "smack.h" 20 21 #if IS_ENABLED(CONFIG_IPV6) 22 23 static unsigned int smack_ipv6_output(void *priv, 24 struct sk_buff *skb, 25 const struct nf_hook_state *state) 26 { 27 struct sock *sk = skb_to_full_sk(skb); 28 struct socket_smack *ssp; 29 struct smack_known *skp; 30 31 if (sk && sk->sk_security) { 32 ssp = sk->sk_security; 33 skp = ssp->smk_out; 34 skb->secmark = skp->smk_secid; 35 } 36 37 return NF_ACCEPT; 38 } 39 #endif /* IPV6 */ 40 41 static unsigned int smack_ipv4_output(void *priv, 42 struct sk_buff *skb, 43 const struct nf_hook_state *state) 44 { 45 struct sock *sk = skb_to_full_sk(skb); 46 struct socket_smack *ssp; 47 struct smack_known *skp; 48 49 if (sk && sk->sk_security) { 50 ssp = sk->sk_security; 51 skp = ssp->smk_out; 52 skb->secmark = skp->smk_secid; 53 } 54 55 return NF_ACCEPT; 56 } 57 58 static const struct nf_hook_ops smack_nf_ops[] = { 59 { 60 .hook = smack_ipv4_output, 61 .pf = NFPROTO_IPV4, 62 .hooknum = NF_INET_LOCAL_OUT, 63 .priority = NF_IP_PRI_SELINUX_FIRST, 64 }, 65 #if IS_ENABLED(CONFIG_IPV6) 66 { 67 .hook = smack_ipv6_output, 68 .pf = NFPROTO_IPV6, 69 .hooknum = NF_INET_LOCAL_OUT, 70 .priority = NF_IP6_PRI_SELINUX_FIRST, 71 }, 72 #endif /* IPV6 */ 73 }; 74 75 static int __net_init smack_nf_register(struct net *net) 76 { 77 return nf_register_net_hooks(net, smack_nf_ops, 78 ARRAY_SIZE(smack_nf_ops)); 79 } 80 81 static void __net_exit smack_nf_unregister(struct net *net) 82 { 83 nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); 84 } 85 86 static struct pernet_operations smack_net_ops = { 87 .init = smack_nf_register, 88 .exit = smack_nf_unregister, 89 }; 90 91 static int __init smack_nf_ip_init(void) 92 { 93 if (smack_enabled == 0) 94 return 0; 95 96 printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); 97 return register_pernet_subsys(&smack_net_ops); 98 } 99 100 __initcall(smack_nf_ip_init); 101