~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/smack/smack_netfilter.c

Version: ~ [ linux-5.10-rc6 ] ~ [ linux-5.9.12 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.81 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.161 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.210 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.247 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.247 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0-only
  2 /*
  3  *  Simplified MAC Kernel (smack) security module
  4  *
  5  *  This file contains the Smack netfilter implementation
  6  *
  7  *  Author:
  8  *      Casey Schaufler <casey@schaufler-ca.com>
  9  *
 10  *  Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
 11  *  Copyright (C) 2014 Intel Corporation.
 12  */
 13 
 14 #include <linux/netfilter_ipv4.h>
 15 #include <linux/netfilter_ipv6.h>
 16 #include <linux/netdevice.h>
 17 #include <net/inet_sock.h>
 18 #include <net/net_namespace.h>
 19 #include "smack.h"
 20 
 21 #if IS_ENABLED(CONFIG_IPV6)
 22 
 23 static unsigned int smack_ipv6_output(void *priv,
 24                                         struct sk_buff *skb,
 25                                         const struct nf_hook_state *state)
 26 {
 27         struct sock *sk = skb_to_full_sk(skb);
 28         struct socket_smack *ssp;
 29         struct smack_known *skp;
 30 
 31         if (sk && sk->sk_security) {
 32                 ssp = sk->sk_security;
 33                 skp = ssp->smk_out;
 34                 skb->secmark = skp->smk_secid;
 35         }
 36 
 37         return NF_ACCEPT;
 38 }
 39 #endif  /* IPV6 */
 40 
 41 static unsigned int smack_ipv4_output(void *priv,
 42                                         struct sk_buff *skb,
 43                                         const struct nf_hook_state *state)
 44 {
 45         struct sock *sk = skb_to_full_sk(skb);
 46         struct socket_smack *ssp;
 47         struct smack_known *skp;
 48 
 49         if (sk && sk->sk_security) {
 50                 ssp = sk->sk_security;
 51                 skp = ssp->smk_out;
 52                 skb->secmark = skp->smk_secid;
 53         }
 54 
 55         return NF_ACCEPT;
 56 }
 57 
 58 static const struct nf_hook_ops smack_nf_ops[] = {
 59         {
 60                 .hook =         smack_ipv4_output,
 61                 .pf =           NFPROTO_IPV4,
 62                 .hooknum =      NF_INET_LOCAL_OUT,
 63                 .priority =     NF_IP_PRI_SELINUX_FIRST,
 64         },
 65 #if IS_ENABLED(CONFIG_IPV6)
 66         {
 67                 .hook =         smack_ipv6_output,
 68                 .pf =           NFPROTO_IPV6,
 69                 .hooknum =      NF_INET_LOCAL_OUT,
 70                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
 71         },
 72 #endif  /* IPV6 */
 73 };
 74 
 75 static int __net_init smack_nf_register(struct net *net)
 76 {
 77         return nf_register_net_hooks(net, smack_nf_ops,
 78                                      ARRAY_SIZE(smack_nf_ops));
 79 }
 80 
 81 static void __net_exit smack_nf_unregister(struct net *net)
 82 {
 83         nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
 84 }
 85 
 86 static struct pernet_operations smack_net_ops = {
 87         .init = smack_nf_register,
 88         .exit = smack_nf_unregister,
 89 };
 90 
 91 static int __init smack_nf_ip_init(void)
 92 {
 93         if (smack_enabled == 0)
 94                 return 0;
 95 
 96         printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
 97         return register_pernet_subsys(&smack_net_ops);
 98 }
 99 
100 __initcall(smack_nf_ip_init);
101 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp