Blame view
security/smack/smack_netfilter.c
2.17 KB
d2912cb15
treewide: Replace...
|
1 |
// SPDX-License-Identifier: GPL-2.0-only |
69f287ae6
Smack: secmark su...
|
2 3 4 5 6 7 8 9 10 11 |
/* * Simplified MAC Kernel (smack) security module * * This file contains the Smack netfilter implementation * * Author: * Casey Schaufler <casey@schaufler-ca.com> * * Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com> * Copyright (C) 2014 Intel Corporation. |
|
69f287ae6
Smack: secmark su...
|
12 13 14 15 16 |
*/ #include <linux/netfilter_ipv4.h> #include <linux/netfilter_ipv6.h> #include <linux/netdevice.h> |
8827d90e2
smack: use skb_to...
|
17 |
#include <net/inet_sock.h> |
e661a5827
smack: use pernet...
|
18 |
#include <net/net_namespace.h> |
|
69f287ae6
Smack: secmark su...
|
19 |
#include "smack.h" |
1a93a6eac
security: Use IS_...
|
20 |
#if IS_ENABLED(CONFIG_IPV6) |
|
69f287ae6
Smack: secmark su...
|
21 |
|
06198b34a
netfilter: Pass p...
|
22 |
static unsigned int smack_ipv6_output(void *priv, |
|
69f287ae6
Smack: secmark su...
|
23 |
struct sk_buff *skb, |
238e54c9c
netfilter: Make n...
|
24 |
const struct nf_hook_state *state) |
|
69f287ae6
Smack: secmark su...
|
25 |
{
|
|
8827d90e2
smack: use skb_to...
|
26 |
struct sock *sk = skb_to_full_sk(skb); |
|
69f287ae6
Smack: secmark su...
|
27 28 |
struct socket_smack *ssp; struct smack_known *skp; |
|
8827d90e2
smack: use skb_to...
|
29 30 |
if (sk && sk->sk_security) {
ssp = sk->sk_security;
|
|
69f287ae6
Smack: secmark su...
|
31 32 33 34 35 36 37 |
skp = ssp->smk_out; skb->secmark = skp->smk_secid; } return NF_ACCEPT; } #endif /* IPV6 */ |
|
06198b34a
netfilter: Pass p...
|
38 |
static unsigned int smack_ipv4_output(void *priv, |
|
69f287ae6
Smack: secmark su...
|
39 |
struct sk_buff *skb, |
|
238e54c9c
netfilter: Make n...
|
40 |
const struct nf_hook_state *state) |
|
69f287ae6
Smack: secmark su...
|
41 |
{
|
|
8827d90e2
smack: use skb_to...
|
42 |
struct sock *sk = skb_to_full_sk(skb); |
|
69f287ae6
Smack: secmark su...
|
43 44 |
struct socket_smack *ssp; struct smack_known *skp; |
|
8827d90e2
smack: use skb_to...
|
45 46 |
if (sk && sk->sk_security) {
ssp = sk->sk_security;
|
|
69f287ae6
Smack: secmark su...
|
47 48 49 50 51 52 |
skp = ssp->smk_out; skb->secmark = skp->smk_secid; } return NF_ACCEPT; } |
|
591bb2789
netfilter: nf_hoo...
|
53 |
static const struct nf_hook_ops smack_nf_ops[] = {
|
|
69f287ae6
Smack: secmark su...
|
54 55 |
{
.hook = smack_ipv4_output,
|
|
69f287ae6
Smack: secmark su...
|
56 57 58 59 |
.pf = NFPROTO_IPV4, .hooknum = NF_INET_LOCAL_OUT, .priority = NF_IP_PRI_SELINUX_FIRST, }, |
|
1a93a6eac
security: Use IS_...
|
60 |
#if IS_ENABLED(CONFIG_IPV6) |
|
69f287ae6
Smack: secmark su...
|
61 62 |
{
.hook = smack_ipv6_output,
|
|
69f287ae6
Smack: secmark su...
|
63 64 65 66 67 68 |
.pf = NFPROTO_IPV6, .hooknum = NF_INET_LOCAL_OUT, .priority = NF_IP6_PRI_SELINUX_FIRST, }, #endif /* IPV6 */ }; |
|
e661a5827
smack: use pernet...
|
69 70 71 72 73 74 75 |
static int __net_init smack_nf_register(struct net *net)
{
return nf_register_net_hooks(net, smack_nf_ops,
ARRAY_SIZE(smack_nf_ops));
}
static void __net_exit smack_nf_unregister(struct net *net)
|
|
69f287ae6
Smack: secmark su...
|
76 |
{
|
|
e661a5827
smack: use pernet...
|
77 78 |
nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); } |
|
69f287ae6
Smack: secmark su...
|
79 |
|
|
e661a5827
smack: use pernet...
|
80 81 82 83 84 85 86 |
static struct pernet_operations smack_net_ops = {
.init = smack_nf_register,
.exit = smack_nf_unregister,
};
static int __init smack_nf_ip_init(void)
{
|
|
69f287ae6
Smack: secmark su...
|
87 88 89 90 91 |
if (smack_enabled == 0) return 0; printk(KERN_DEBUG "Smack: Registering netfilter hooks "); |
|
e661a5827
smack: use pernet...
|
92 |
return register_pernet_subsys(&smack_net_ops); |
|
69f287ae6
Smack: secmark su...
|
93 94 95 |
} __initcall(smack_nf_ip_init); |