~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/smack/smack_netfilter.c

Version: ~ [ linux-6.1-rc7 ] ~ [ linux-6.0.10 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.80 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.156 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.225 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.267 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.300 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.334 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.302 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  *  Simplified MAC Kernel (smack) security module
  3  *
  4  *  This file contains the Smack netfilter implementation
  5  *
  6  *  Author:
  7  *      Casey Schaufler <casey@schaufler-ca.com>
  8  *
  9  *  Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
 10  *  Copyright (C) 2014 Intel Corporation.
 11  *
 12  *      This program is free software; you can redistribute it and/or modify
 13  *      it under the terms of the GNU General Public License version 2,
 14  *      as published by the Free Software Foundation.
 15  */
 16 
 17 #include <linux/netfilter_ipv4.h>
 18 #include <linux/netfilter_ipv6.h>
 19 #include <linux/netdevice.h>
 20 #include <net/inet_sock.h>
 21 #include "smack.h"
 22 
 23 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 24 
 25 static unsigned int smack_ipv6_output(void *priv,
 26                                         struct sk_buff *skb,
 27                                         const struct nf_hook_state *state)
 28 {
 29         struct sock *sk = skb_to_full_sk(skb);
 30         struct socket_smack *ssp;
 31         struct smack_known *skp;
 32 
 33         if (sk && sk->sk_security) {
 34                 ssp = sk->sk_security;
 35                 skp = ssp->smk_out;
 36                 skb->secmark = skp->smk_secid;
 37         }
 38 
 39         return NF_ACCEPT;
 40 }
 41 #endif  /* IPV6 */
 42 
 43 static unsigned int smack_ipv4_output(void *priv,
 44                                         struct sk_buff *skb,
 45                                         const struct nf_hook_state *state)
 46 {
 47         struct sock *sk = skb_to_full_sk(skb);
 48         struct socket_smack *ssp;
 49         struct smack_known *skp;
 50 
 51         if (sk && sk->sk_security) {
 52                 ssp = sk->sk_security;
 53                 skp = ssp->smk_out;
 54                 skb->secmark = skp->smk_secid;
 55         }
 56 
 57         return NF_ACCEPT;
 58 }
 59 
 60 static struct nf_hook_ops smack_nf_ops[] = {
 61         {
 62                 .hook =         smack_ipv4_output,
 63                 .pf =           NFPROTO_IPV4,
 64                 .hooknum =      NF_INET_LOCAL_OUT,
 65                 .priority =     NF_IP_PRI_SELINUX_FIRST,
 66         },
 67 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 68         {
 69                 .hook =         smack_ipv6_output,
 70                 .pf =           NFPROTO_IPV6,
 71                 .hooknum =      NF_INET_LOCAL_OUT,
 72                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
 73         },
 74 #endif  /* IPV6 */
 75 };
 76 
 77 static int __init smack_nf_ip_init(void)
 78 {
 79         int err;
 80 
 81         if (smack_enabled == 0)
 82                 return 0;
 83 
 84         printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
 85 
 86         err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
 87         if (err)
 88                 pr_info("Smack: nf_register_hooks: error %d\n", err);
 89 
 90         return 0;
 91 }
 92 
 93 __initcall(smack_nf_ip_init);
 94 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp