Blame view
security/smack/smack_netfilter.c
2.17 KB
d2912cb15 treewide: Replace... |
1 |
// SPDX-License-Identifier: GPL-2.0-only |
69f287ae6 Smack: secmark su... |
2 3 4 5 6 7 8 9 10 11 |
/* * Simplified MAC Kernel (smack) security module * * This file contains the Smack netfilter implementation * * Author: * Casey Schaufler <casey@schaufler-ca.com> * * Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com> * Copyright (C) 2014 Intel Corporation. |
69f287ae6 Smack: secmark su... |
12 13 14 15 16 |
*/ #include <linux/netfilter_ipv4.h> #include <linux/netfilter_ipv6.h> #include <linux/netdevice.h> |
8827d90e2 smack: use skb_to... |
17 |
#include <net/inet_sock.h> |
e661a5827 smack: use pernet... |
18 |
#include <net/net_namespace.h> |
69f287ae6 Smack: secmark su... |
19 |
#include "smack.h" |
1a93a6eac security: Use IS_... |
20 |
#if IS_ENABLED(CONFIG_IPV6) |
69f287ae6 Smack: secmark su... |
21 |
|
06198b34a netfilter: Pass p... |
22 |
static unsigned int smack_ipv6_output(void *priv, |
69f287ae6 Smack: secmark su... |
23 |
struct sk_buff *skb, |
238e54c9c netfilter: Make n... |
24 |
const struct nf_hook_state *state) |
69f287ae6 Smack: secmark su... |
25 |
{ |
8827d90e2 smack: use skb_to... |
26 |
struct sock *sk = skb_to_full_sk(skb); |
69f287ae6 Smack: secmark su... |
27 28 |
struct socket_smack *ssp; struct smack_known *skp; |
8827d90e2 smack: use skb_to... |
29 30 |
if (sk && sk->sk_security) { ssp = sk->sk_security; |
69f287ae6 Smack: secmark su... |
31 32 33 34 35 36 37 |
skp = ssp->smk_out; skb->secmark = skp->smk_secid; } return NF_ACCEPT; } #endif /* IPV6 */ |
06198b34a netfilter: Pass p... |
38 |
static unsigned int smack_ipv4_output(void *priv, |
69f287ae6 Smack: secmark su... |
39 |
struct sk_buff *skb, |
238e54c9c netfilter: Make n... |
40 |
const struct nf_hook_state *state) |
69f287ae6 Smack: secmark su... |
41 |
{ |
8827d90e2 smack: use skb_to... |
42 |
struct sock *sk = skb_to_full_sk(skb); |
69f287ae6 Smack: secmark su... |
43 44 |
struct socket_smack *ssp; struct smack_known *skp; |
8827d90e2 smack: use skb_to... |
45 46 |
if (sk && sk->sk_security) { ssp = sk->sk_security; |
69f287ae6 Smack: secmark su... |
47 48 49 50 51 52 |
skp = ssp->smk_out; skb->secmark = skp->smk_secid; } return NF_ACCEPT; } |
591bb2789 netfilter: nf_hoo... |
53 |
static const struct nf_hook_ops smack_nf_ops[] = { |
69f287ae6 Smack: secmark su... |
54 55 |
{ .hook = smack_ipv4_output, |
69f287ae6 Smack: secmark su... |
56 57 58 59 |
.pf = NFPROTO_IPV4, .hooknum = NF_INET_LOCAL_OUT, .priority = NF_IP_PRI_SELINUX_FIRST, }, |
1a93a6eac security: Use IS_... |
60 |
#if IS_ENABLED(CONFIG_IPV6) |
69f287ae6 Smack: secmark su... |
61 62 |
{ .hook = smack_ipv6_output, |
69f287ae6 Smack: secmark su... |
63 64 65 66 67 68 |
.pf = NFPROTO_IPV6, .hooknum = NF_INET_LOCAL_OUT, .priority = NF_IP6_PRI_SELINUX_FIRST, }, #endif /* IPV6 */ }; |
e661a5827 smack: use pernet... |
69 70 71 72 73 74 75 |
static int __net_init smack_nf_register(struct net *net) { return nf_register_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); } static void __net_exit smack_nf_unregister(struct net *net) |
69f287ae6 Smack: secmark su... |
76 |
{ |
e661a5827 smack: use pernet... |
77 78 |
nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); } |
69f287ae6 Smack: secmark su... |
79 |
|
e661a5827 smack: use pernet... |
80 81 82 83 84 85 86 |
static struct pernet_operations smack_net_ops = { .init = smack_nf_register, .exit = smack_nf_unregister, }; static int __init smack_nf_ip_init(void) { |
69f287ae6 Smack: secmark su... |
87 88 89 90 91 |
if (smack_enabled == 0) return 0; printk(KERN_DEBUG "Smack: Registering netfilter hooks "); |
e661a5827 smack: use pernet... |
92 |
return register_pernet_subsys(&smack_net_ops); |
69f287ae6 Smack: secmark su... |
93 94 95 |
} __initcall(smack_nf_ip_init); |