Smack: secmark support for netfilter

Smack uses CIPSO to label internet packets and thus provide for access control on delivery of packets. The netfilter facility was not used to allow for Smack to work properly without netfilter configuration. Smack does not need netfilter, however there are cases where it would be handy. As a side effect, the labeling of local IPv4 packets can be optimized and the handling of local IPv6 packets is just all out better. The best part is that the netfilter tools use "contexts" that are just strings, and they work just as well for Smack as they do for SELinux. All of the conditional compilation for IPv6 was implemented by Rafal Krypa <r.krypa@samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
author: Casey Schaufler <casey@schaufler-ca.com> 2014-12-12 20:08:40 -0500
committer: Casey Schaufler <casey@schaufler-ca.com> 2015-01-20 19:34:25 -0500
commit: 69f287ae6fc8357e0bc561353a2d585b89ee8cdc (patch)
tree: a717c525b47790cab2d437e0e16e11728394b97c
parent: 5e7270a6dd14fa6e3bb10128f200305b4a75f350 (diff)
5 files changed, 196 insertions, 8 deletions
diff --git a/security/smack/Kconfig b/security/smack/Kconfig
index b065f9789418..271adae81796 100644
--- a/security/smack/Kconfig
+++ b/security/smack/Kconfig
@@ -28,3 +28,15 @@ config SECURITY_SMACK_BRINGUP
          access rule set once the behavior is well understood.
          This is a superior mechanism to the oft abused
          "permissive" mode of other systems.
+          If you are unsure how to answer this question, answer N.
+config SECURITY_SMACK_NETFILTER
+        bool "Packet marking using secmarks for netfilter"
+        depends on SECURITY_SMACK
+        depends on NETWORK_SECMARK
+        depends on NETFILTER
+        default n
+        help
+          This enables security marking of network packets using
+          Smack labels.
+          If you are unsure how to answer this question, answer N.
diff --git a/security/smack/Makefile b/security/smack/Makefile
index 67a63aaec827..616cf93b368e 100644
--- a/security/smack/Makefile
+++ b/security/smack/Makefile
@@ -5,3 +5,4 @@
 obj-$(CONFIG_SECURITY_SMACK) := smack.o
 smack-y := smack_lsm.o smack_access.o smackfs.o
+smack-$(CONFIG_NETFILTER) += smack_netfilter.o
diff --git a/security/smack/smack.h b/security/smack/smack.h
index b828a379377c..7629eaeb1fb2 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -248,6 +248,7 @@ struct smack_known *smk_find_entry(const char *);
 /*
 * Shared data.
 */
+extern int smack_enabled;
 extern int smack_cipso_direct;
 extern int smack_cipso_mapped;
 extern struct smack_known *smack_net_ambient;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 1fa72317bbec..81b30e32c526 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -52,8 +52,11 @@
 #define SMK_RECEIVING   1
 #define SMK_SENDING     2
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
 LIST_HEAD(smk_ipv6_port_list);
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
 static struct kmem_cache *smack_inode_cache;
+int smack_enabled;
 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
 static void smk_bu_mode(int mode, char *s)
@@ -2213,6 +2216,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
        return smack_netlabel(sk, sk_lbl);
 }
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
 /**
 * smk_ipv6_port_label - Smack port access table management
 * @sock: socket
@@ -2362,6 +2366,7 @@ auditout:
        rc = smk_bu_note("IPv6 port check", skp, object, MAY_WRITE, rc);
        return rc;
 }
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
 /**
 * smack_inode_setsecurity - set smack xattrs
@@ -2422,8 +2427,10 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
        } else
                return -EOPNOTSUPP;
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
        if (sock->sk->sk_family == PF_INET6)
                smk_ipv6_port_label(sock, NULL);
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
        return 0;
 }
@@ -2451,6 +2458,7 @@ static int smack_socket_post_create(struct socket *sock, int family,
        return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
 }
+#ifndef CONFIG_SECURITY_SMACK_NETFILTER
 /**
 * smack_socket_bind - record port binding information.
 * @sock: the socket
@@ -2464,11 +2472,14 @@ static int smack_socket_post_create(struct socket *sock, int family,
 static int smack_socket_bind(struct socket *sock, struct sockaddr *address,
                                int addrlen)
 {
+#if IS_ENABLED(CONFIG_IPV6)
        if (sock->sk != NULL && sock->sk->sk_family == PF_INET6)
                smk_ipv6_port_label(sock, address);
+#endif
        return 0;
 }
+#endif /* !CONFIG_SECURITY_SMACK_NETFILTER */
 /**
 * smack_socket_connect - connect access check
@@ -2497,8 +2508,10 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
        case PF_INET6:
                if (addrlen < sizeof(struct sockaddr_in6))
                        return -EINVAL;
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
                rc = smk_ipv6_port_check(sock->sk, (struct sockaddr_in6 *)sap,
                                                SMK_CONNECTING);
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
                break;
        }
        return rc;
@@ -3381,7 +3394,9 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
                                int size)
 {
        struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
        struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
        int rc = 0;
        /*
@@ -3395,7 +3410,9 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
                rc = smack_netlabel_send(sock->sk, sip);
                break;
        case AF_INET6:
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
                rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING);
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
                break;
        }
        return rc;
@@ -3486,6 +3503,7 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
        return smack_net_ambient;
 }
+#if IS_ENABLED(CONFIG_IPV6)
 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
 {
        u8 nexthdr;
@@ -3532,6 +3550,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
        }
        return proto;
 }
+#endif /* CONFIG_IPV6 */
 /**
 * smack_socket_sock_rcv_skb - Smack packet delivery access check
@@ -3544,15 +3563,30 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
        struct netlbl_lsm_secattr secattr;
        struct socket_smack *ssp = sk->sk_security;
-        struct smack_known *skp;
+        struct smack_known *skp = NULL;
-        struct sockaddr_in6 sadd;
        int rc = 0;
        struct smk_audit_info ad;
 #ifdef CONFIG_AUDIT
        struct lsm_network_audit net;
 #endif
+#if IS_ENABLED(CONFIG_IPV6)
+        struct sockaddr_in6 sadd;
+        int proto;
+#endif /* CONFIG_IPV6 */
        switch (sk->sk_family) {
        case PF_INET:
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+                /*
+                 * If there is a secmark use it rather than the CIPSO label.
+                 * If there is no secmark fall back to CIPSO.
+                 * The secmark is assumed to reflect policy better.
+                 */
+                if (skb && skb->secmark != 0) {
+                        skp = smack_from_secid(skb->secmark);
+                        goto access_check;
+                }
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
                /*
                 * Translate what netlabel gave us.
                 */
@@ -3566,6 +3600,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
                netlbl_secattr_destroy(&secattr);
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+access_check:
+#endif
 #ifdef CONFIG_AUDIT
                smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
                ad.a.u.net->family = sk->sk_family;
@@ -3584,14 +3621,32 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
                if (rc != 0)
                        netlbl_skbuff_err(skb, rc, 0);
                break;
+#if IS_ENABLED(CONFIG_IPV6)
        case PF_INET6:
-                rc = smk_skb_to_addr_ipv6(skb, &sadd);
+                proto = smk_skb_to_addr_ipv6(skb, &sadd);
-                if (rc == IPPROTO_UDP || rc == IPPROTO_TCP)
+                if (proto != IPPROTO_UDP && proto != IPPROTO_TCP)
-                        rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
+                        break;
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+                if (skb && skb->secmark != 0)
+                        skp = smack_from_secid(skb->secmark);
                else
-                        rc = 0;
+                        skp = smack_net_ambient;
+#ifdef CONFIG_AUDIT
+                smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
+                ad.a.u.net->family = sk->sk_family;
+                ad.a.u.net->netif = skb->skb_iif;
+                ipv6_skb_to_auditdata(skb, &ad.a, NULL);
+#endif /* CONFIG_AUDIT */
+                rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
+                rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in,
+                                        MAY_WRITE, rc);
+#else /* CONFIG_SECURITY_SMACK_NETFILTER */
+                rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
                break;
+#endif /* CONFIG_IPV6 */
        }
        return rc;
 }
@@ -3653,16 +3708,25 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
        if (skb != NULL) {
                if (skb->protocol == htons(ETH_P_IP))
                        family = PF_INET;
+#if IS_ENABLED(CONFIG_IPV6)
                else if (skb->protocol == htons(ETH_P_IPV6))
                        family = PF_INET6;
+#endif /* CONFIG_IPV6 */
        }
        if (family == PF_UNSPEC && sock != NULL)
                family = sock->sk->sk_family;
-        if (family == PF_UNIX) {
+        switch (family) {
+        case PF_UNIX:
                ssp = sock->sk->sk_security;
                s = ssp->smk_out->smk_secid;
-        } else if (family == PF_INET || family == PF_INET6) {
+                break;
+        case PF_INET:
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+                s = skb->secmark;
+                if (s != 0)
+                        break;
+#endif
                /*
                 * Translate what netlabel gave us.
                 */
@@ -3675,6 +3739,14 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
                        s = skp->smk_secid;
                }
                netlbl_secattr_destroy(&secattr);
+                break;
+#if IS_ENABLED(CONFIG_IPV6)
+        case PF_INET6:
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+                s = skb->secmark;
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
+                break;
+#endif /* CONFIG_IPV6 */
        }
        *secid = s;
        if (s == 0)
@@ -3730,6 +3802,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
        struct lsm_network_audit net;
 #endif
+#if IS_ENABLED(CONFIG_IPV6)
        if (family == PF_INET6) {
                /*
                 * Handle mapped IPv4 packets arriving
@@ -3741,6 +3814,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
                else
                        return 0;
        }
+#endif /* CONFIG_IPV6 */
        netlbl_secattr_init(&secattr);
        rc = netlbl_skbuff_getattr(skb, family, &secattr);
@@ -4199,7 +4273,9 @@ struct security_operations smack_ops = {
        .unix_may_send =                smack_unix_may_send,
        .socket_post_create =           smack_socket_post_create,
+#ifndef CONFIG_SECURITY_SMACK_NETFILTER
        .socket_bind =                  smack_socket_bind,
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
        .socket_connect =               smack_socket_connect,
        .socket_sendmsg =               smack_socket_sendmsg,
        .socket_sock_rcv_skb =          smack_socket_sock_rcv_skb,
@@ -4280,6 +4356,8 @@ static __init int smack_init(void)
        if (!security_module_enable(&smack_ops))
                return 0;
+        smack_enabled = 1;
        smack_inode_cache = KMEM_CACHE(inode_smack, 0);
        if (!smack_inode_cache)
                return -ENOMEM;
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
new file mode 100644
index 000000000000..c952632afb0d
--- /dev/null
+++ b/security/smack/smack_netfilter.c
@@ -0,0 +1,96 @@
+/*
+ *  Simplified MAC Kernel (smack) security module
+ *
+ *  This file contains the Smack netfilter implementation
+ *
+ *  Author:
+ *      Casey Schaufler <casey@schaufler-ca.com>
+ *
+ *  Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
+ *  Copyright (C) 2014 Intel Corporation.
+ *
+ *      This program is free software; you can redistribute it and/or modify
+ *      it under the terms of the GNU General Public License version 2,
+ *      as published by the Free Software Foundation.
+ */
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
+#include <linux/netdevice.h>
+#include "smack.h"
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static unsigned int smack_ipv6_output(const struct nf_hook_ops *ops,
+                                        struct sk_buff *skb,
+                                        const struct net_device *in,
+                                        const struct net_device *out,
+                                        int (*okfn)(struct sk_buff *))
+{
+        struct socket_smack *ssp;
+        struct smack_known *skp;
+        if (skb && skb->sk && skb->sk->sk_security) {
+                ssp = skb->sk->sk_security;
+                skp = ssp->smk_out;
+                skb->secmark = skp->smk_secid;
+        }
+        return NF_ACCEPT;
+}
+#endif  /* IPV6 */
+static unsigned int smack_ipv4_output(const struct nf_hook_ops *ops,
+                                        struct sk_buff *skb,
+                                        const struct net_device *in,
+                                        const struct net_device *out,
+                                        int (*okfn)(struct sk_buff *))
+{
+        struct socket_smack *ssp;
+        struct smack_known *skp;
+        if (skb && skb->sk && skb->sk->sk_security) {
+                ssp = skb->sk->sk_security;
+                skp = ssp->smk_out;
+                skb->secmark = skp->smk_secid;
+        }
+        return NF_ACCEPT;
+}
+static struct nf_hook_ops smack_nf_ops[] = {
+        {
+                .hook =         smack_ipv4_output,
+                .owner =        THIS_MODULE,
+                .pf =           NFPROTO_IPV4,
+                .hooknum =      NF_INET_LOCAL_OUT,
+                .priority =     NF_IP_PRI_SELINUX_FIRST,
+        },
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+        {
+                .hook =         smack_ipv6_output,
+                .owner =        THIS_MODULE,
+                .pf =           NFPROTO_IPV6,
+                .hooknum =      NF_INET_LOCAL_OUT,
+                .priority =     NF_IP6_PRI_SELINUX_FIRST,
+        },
+#endif  /* IPV6 */
+};
+static int __init smack_nf_ip_init(void)
+{
+        int err;
+        if (smack_enabled == 0)
+                return 0;
+        printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
+        err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
+        if (err)
+                pr_info("Smack: nf_register_hooks: error %d\n", err);
+        return 0;
+}
+__initcall(smack_nf_ip_init);
author	Casey Schaufler <casey@schaufler-ca.com>	2014-12-12 20:08:40 -0500
committer	Casey Schaufler <casey@schaufler-ca.com>	2015-01-20 19:34:25 -0500
commit	69f287ae6fc8357e0bc561353a2d585b89ee8cdc (patch)
tree	a717c525b47790cab2d437e0e16e11728394b97c
parent	5e7270a6dd14fa6e3bb10128f200305b4a75f350 (diff)

diff --git a/security/smack/Kconfig b/security/smack/Kconfig index b065f9789418..271adae81796 100644 --- a/security/smack/Kconfig +++ b/security/smack/Kconfig
@@ -28,3 +28,15 @@ config SECURITY_SMACK_BRINGUP
28	access rule set once the behavior is well understood.	28	access rule set once the behavior is well understood.
29	This is a superior mechanism to the oft abused	29	This is a superior mechanism to the oft abused
30	"permissive" mode of other systems.	30	"permissive" mode of other systems.
		31	If you are unsure how to answer this question, answer N.
		32
		33	config SECURITY_SMACK_NETFILTER
		34	bool "Packet marking using secmarks for netfilter"
		35	depends on SECURITY_SMACK
		36	depends on NETWORK_SECMARK
		37	depends on NETFILTER
		38	default n
		39	help
		40	This enables security marking of network packets using
		41	Smack labels.
		42	If you are unsure how to answer this question, answer N.


diff --git a/security/smack/Makefile b/security/smack/Makefile index 67a63aaec827..616cf93b368e 100644 --- a/security/smack/Makefile +++ b/security/smack/Makefile
@@ -5,3 +5,4 @@
5	obj-$(CONFIG_SECURITY_SMACK) := smack.o	5	obj-$(CONFIG_SECURITY_SMACK) := smack.o
6		6
7	smack-y := smack_lsm.o smack_access.o smackfs.o	7	smack-y := smack_lsm.o smack_access.o smackfs.o
		8	smack-$(CONFIG_NETFILTER) += smack_netfilter.o


diff --git a/security/smack/smack.h b/security/smack/smack.h index b828a379377c..7629eaeb1fb2 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h
@@ -248,6 +248,7 @@ struct smack_known smk_find_entry(const char );
248	/*	248	/*
249	* Shared data.	249	* Shared data.
250	*/	250	*/
		251	extern int smack_enabled;
251	extern int smack_cipso_direct;	252	extern int smack_cipso_direct;
252	extern int smack_cipso_mapped;	253	extern int smack_cipso_mapped;
253	extern struct smack_known *smack_net_ambient;	254	extern struct smack_known *smack_net_ambient;


diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1fa72317bbec..81b30e32c526 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -52,8 +52,11 @@
52	#define SMK_RECEIVING 1	52	#define SMK_RECEIVING 1
53	#define SMK_SENDING 2	53	#define SMK_SENDING 2
54		54
		55	#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
55	LIST_HEAD(smk_ipv6_port_list);	56	LIST_HEAD(smk_ipv6_port_list);
		57	#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
56	static struct kmem_cache *smack_inode_cache;	58	static struct kmem_cache *smack_inode_cache;
		59	int smack_enabled;
57		60
58	#ifdef CONFIG_SECURITY_SMACK_BRINGUP	61	#ifdef CONFIG_SECURITY_SMACK_BRINGUP
59	static void smk_bu_mode(int mode, char *s)	62	static void smk_bu_mode(int mode, char *s)
@@ -2213,6 +2216,7 @@ static int smack_netlabel_send(struct sock sk, struct sockaddr_in sap)
2213	return smack_netlabel(sk, sk_lbl);	2216	return smack_netlabel(sk, sk_lbl);
2214	}	2217	}
2215		2218
		2219	#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
2216	/**	2220	/**
2217	* smk_ipv6_port_label - Smack port access table management	2221	* smk_ipv6_port_label - Smack port access table management
2218	* @sock: socket	2222	* @sock: socket
@@ -2362,6 +2366,7 @@ auditout:
2362	rc = smk_bu_note("IPv6 port check", skp, object, MAY_WRITE, rc);	2366	rc = smk_bu_note("IPv6 port check", skp, object, MAY_WRITE, rc);
2363	return rc;	2367	return rc;
2364	}	2368	}
		2369	#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
2365		2370
2366	/**	2371	/**
2367	* smack_inode_setsecurity - set smack xattrs	2372	* smack_inode_setsecurity - set smack xattrs
@@ -2422,8 +2427,10 @@ static int smack_inode_setsecurity(struct inode inode, const char name,
2422	} else	2427	} else
2423	return -EOPNOTSUPP;	2428	return -EOPNOTSUPP;
2424		2429
		2430	#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
2425	if (sock->sk->sk_family == PF_INET6)	2431	if (sock->sk->sk_family == PF_INET6)
2426	smk_ipv6_port_label(sock, NULL);	2432	smk_ipv6_port_label(sock, NULL);
		2433	#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
2427		2434
2428	return 0;	2435	return 0;
2429	}	2436	}
@@ -2451,6 +2458,7 @@ static int smack_socket_post_create(struct socket *sock, int family,
2451	return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);	2458	return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
2452	}	2459	}
2453		2460
		2461	#ifndef CONFIG_SECURITY_SMACK_NETFILTER
2454	/**	2462	/**
2455	* smack_socket_bind - record port binding information.	2463	* smack_socket_bind - record port binding information.
2456	* @sock: the socket	2464	* @sock: the socket
@@ -2464,11 +2472,14 @@ static int smack_socket_post_create(struct socket *sock, int family,
2464	static int smack_socket_bind(struct socket sock, struct sockaddr address,	2472	static int smack_socket_bind(struct socket sock, struct sockaddr address,
2465	int addrlen)	2473	int addrlen)
2466	{	2474	{
		2475	#if IS_ENABLED(CONFIG_IPV6)
2467	if (sock->sk != NULL && sock->sk->sk_family == PF_INET6)	2476	if (sock->sk != NULL && sock->sk->sk_family == PF_INET6)
2468	smk_ipv6_port_label(sock, address);	2477	smk_ipv6_port_label(sock, address);
		2478	#endif
2469		2479
2470	return 0;	2480	return 0;
2471	}	2481	}
		2482	#endif /* !CONFIG_SECURITY_SMACK_NETFILTER */
2472		2483
2473	/**	2484	/**
2474	* smack_socket_connect - connect access check	2485	* smack_socket_connect - connect access check
@@ -2497,8 +2508,10 @@ static int smack_socket_connect(struct socket sock, struct sockaddr sap,
2497	case PF_INET6:	2508	case PF_INET6:
2498	if (addrlen < sizeof(struct sockaddr_in6))	2509	if (addrlen < sizeof(struct sockaddr_in6))
2499	return -EINVAL;	2510	return -EINVAL;
		2511	#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
2500	rc = smk_ipv6_port_check(sock->sk, (struct sockaddr_in6 *)sap,	2512	rc = smk_ipv6_port_check(sock->sk, (struct sockaddr_in6 *)sap,
2501	SMK_CONNECTING);	2513	SMK_CONNECTING);
		2514	#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
2502	break;	2515	break;
2503	}	2516	}
2504	return rc;	2517	return rc;
@@ -3381,7 +3394,9 @@ static int smack_socket_sendmsg(struct socket sock, struct msghdr msg,
3381	int size)	3394	int size)
3382	{	3395	{
3383	struct sockaddr_in sip = (struct sockaddr_in ) msg->msg_name;	3396	struct sockaddr_in sip = (struct sockaddr_in ) msg->msg_name;
		3397	#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
3384	struct sockaddr_in6 sap = (struct sockaddr_in6 ) msg->msg_name;	3398	struct sockaddr_in6 sap = (struct sockaddr_in6 ) msg->msg_name;
		3399	#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
3385	int rc = 0;	3400	int rc = 0;
3386		3401
3387	/*	3402	/*
@@ -3395,7 +3410,9 @@ static int smack_socket_sendmsg(struct socket sock, struct msghdr msg,
3395	rc = smack_netlabel_send(sock->sk, sip);	3410	rc = smack_netlabel_send(sock->sk, sip);
3396	break;	3411	break;
3397	case AF_INET6:	3412	case AF_INET6:
		3413	#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
3398	rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING);	3414	rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING);
		3415	#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
3399	break;	3416	break;
3400	}	3417	}
3401	return rc;	3418	return rc;
@@ -3486,6 +3503,7 @@ static struct smack_known smack_from_secattr(struct netlbl_lsm_secattr sap,
3486	return smack_net_ambient;	3503	return smack_net_ambient;
3487	}	3504	}
3488		3505
		3506	#if IS_ENABLED(CONFIG_IPV6)
3489	static int smk_skb_to_addr_ipv6(struct sk_buff skb, struct sockaddr_in6 sip)	3507	static int smk_skb_to_addr_ipv6(struct sk_buff skb, struct sockaddr_in6 sip)
3490	{	3508	{
3491	u8 nexthdr;	3509	u8 nexthdr;
@@ -3532,6 +3550,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff skb, struct sockaddr_in6 sip)
3532	}	3550	}
3533	return proto;	3551	return proto;
3534	}	3552	}
		3553	#endif /* CONFIG_IPV6 */
3535		3554
3536	/**	3555	/**
3537	* smack_socket_sock_rcv_skb - Smack packet delivery access check	3556	* smack_socket_sock_rcv_skb - Smack packet delivery access check
@@ -3544,15 +3563,30 @@ static int smack_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
3544	{	3563	{
3545	struct netlbl_lsm_secattr secattr;	3564	struct netlbl_lsm_secattr secattr;
3546	struct socket_smack *ssp = sk->sk_security;	3565	struct socket_smack *ssp = sk->sk_security;
3547	struct smack_known *skp;	3566	struct smack_known *skp = NULL;
3548	struct sockaddr_in6 sadd;
3549	int rc = 0;	3567	int rc = 0;
3550	struct smk_audit_info ad;	3568	struct smk_audit_info ad;
3551	#ifdef CONFIG_AUDIT	3569	#ifdef CONFIG_AUDIT
3552	struct lsm_network_audit net;	3570	struct lsm_network_audit net;
3553	#endif	3571	#endif
		3572	#if IS_ENABLED(CONFIG_IPV6)
		3573	struct sockaddr_in6 sadd;
		3574	int proto;
		3575	#endif /* CONFIG_IPV6 */
		3576
3554	switch (sk->sk_family) {	3577	switch (sk->sk_family) {
3555	case PF_INET:	3578	case PF_INET:
		3579	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		3580	/*
		3581	* If there is a secmark use it rather than the CIPSO label.
		3582	* If there is no secmark fall back to CIPSO.
		3583	* The secmark is assumed to reflect policy better.
		3584	*/
		3585	if (skb && skb->secmark != 0) {
		3586	skp = smack_from_secid(skb->secmark);
		3587	goto access_check;
		3588	}
		3589	#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
3556	/*	3590	/*
3557	* Translate what netlabel gave us.	3591	* Translate what netlabel gave us.
3558	*/	3592	*/
@@ -3566,6 +3600,9 @@ static int smack_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
3566		3600
3567	netlbl_secattr_destroy(&secattr);	3601	netlbl_secattr_destroy(&secattr);
3568		3602
		3603	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		3604	access_check:
		3605	#endif
3569	#ifdef CONFIG_AUDIT	3606	#ifdef CONFIG_AUDIT
3570	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);	3607	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3571	ad.a.u.net->family = sk->sk_family;	3608	ad.a.u.net->family = sk->sk_family;
@@ -3584,14 +3621,32 @@ static int smack_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
3584	if (rc != 0)	3621	if (rc != 0)
3585	netlbl_skbuff_err(skb, rc, 0);	3622	netlbl_skbuff_err(skb, rc, 0);
3586	break;	3623	break;
		3624	#if IS_ENABLED(CONFIG_IPV6)
3587	case PF_INET6:	3625	case PF_INET6:
3588	rc = smk_skb_to_addr_ipv6(skb, &sadd);	3626	proto = smk_skb_to_addr_ipv6(skb, &sadd);
3589	if (rc == IPPROTO_UDP \|\| rc == IPPROTO_TCP)	3627	if (proto != IPPROTO_UDP && proto != IPPROTO_TCP)
3590	rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);	3628	break;
		3629	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		3630	if (skb && skb->secmark != 0)
		3631	skp = smack_from_secid(skb->secmark);
3591	else	3632	else
3592	rc = 0;	3633	skp = smack_net_ambient;
		3634	#ifdef CONFIG_AUDIT
		3635	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
		3636	ad.a.u.net->family = sk->sk_family;
		3637	ad.a.u.net->netif = skb->skb_iif;
		3638	ipv6_skb_to_auditdata(skb, &ad.a, NULL);
		3639	#endif /* CONFIG_AUDIT */
		3640	rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
		3641	rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in,
		3642	MAY_WRITE, rc);
		3643	#else /* CONFIG_SECURITY_SMACK_NETFILTER */
		3644	rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
		3645	#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
3593	break;	3646	break;
		3647	#endif /* CONFIG_IPV6 */
3594	}	3648	}
		3649
3595	return rc;	3650	return rc;
3596	}	3651	}
3597		3652
@@ -3653,16 +3708,25 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
3653	if (skb != NULL) {	3708	if (skb != NULL) {
3654	if (skb->protocol == htons(ETH_P_IP))	3709	if (skb->protocol == htons(ETH_P_IP))
3655	family = PF_INET;	3710	family = PF_INET;
		3711	#if IS_ENABLED(CONFIG_IPV6)
3656	else if (skb->protocol == htons(ETH_P_IPV6))	3712	else if (skb->protocol == htons(ETH_P_IPV6))
3657	family = PF_INET6;	3713	family = PF_INET6;
		3714	#endif /* CONFIG_IPV6 */
3658	}	3715	}
3659	if (family == PF_UNSPEC && sock != NULL)	3716	if (family == PF_UNSPEC && sock != NULL)
3660	family = sock->sk->sk_family;	3717	family = sock->sk->sk_family;
3661		3718
3662	if (family == PF_UNIX) {	3719	switch (family) {
		3720	case PF_UNIX:
3663	ssp = sock->sk->sk_security;	3721	ssp = sock->sk->sk_security;
3664	s = ssp->smk_out->smk_secid;	3722	s = ssp->smk_out->smk_secid;
3665	} else if (family == PF_INET \|\| family == PF_INET6) {	3723	break;
		3724	case PF_INET:
		3725	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		3726	s = skb->secmark;
		3727	if (s != 0)
		3728	break;
		3729	#endif
3666	/*	3730	/*
3667	* Translate what netlabel gave us.	3731	* Translate what netlabel gave us.
3668	*/	3732	*/
@@ -3675,6 +3739,14 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
3675	s = skp->smk_secid;	3739	s = skp->smk_secid;
3676	}	3740	}
3677	netlbl_secattr_destroy(&secattr);	3741	netlbl_secattr_destroy(&secattr);
		3742	break;
		3743	#if IS_ENABLED(CONFIG_IPV6)
		3744	case PF_INET6:
		3745	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
		3746	s = skb->secmark;
		3747	#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
		3748	break;
		3749	#endif /* CONFIG_IPV6 */
3678	}	3750	}
3679	*secid = s;	3751	*secid = s;
3680	if (s == 0)	3752	if (s == 0)
@@ -3730,6 +3802,7 @@ static int smack_inet_conn_request(struct sock sk, struct sk_buff skb,
3730	struct lsm_network_audit net;	3802	struct lsm_network_audit net;
3731	#endif	3803	#endif
3732		3804
		3805	#if IS_ENABLED(CONFIG_IPV6)
3733	if (family == PF_INET6) {	3806	if (family == PF_INET6) {
3734	/*	3807	/*
3735	* Handle mapped IPv4 packets arriving	3808	* Handle mapped IPv4 packets arriving
@@ -3741,6 +3814,7 @@ static int smack_inet_conn_request(struct sock sk, struct sk_buff skb,
3741	else	3814	else
3742	return 0;	3815	return 0;
3743	}	3816	}
		3817	#endif /* CONFIG_IPV6 */
3744		3818
3745	netlbl_secattr_init(&secattr);	3819	netlbl_secattr_init(&secattr);
3746	rc = netlbl_skbuff_getattr(skb, family, &secattr);	3820	rc = netlbl_skbuff_getattr(skb, family, &secattr);
@@ -4199,7 +4273,9 @@ struct security_operations smack_ops = {
4199	.unix_may_send = smack_unix_may_send,	4273	.unix_may_send = smack_unix_may_send,
4200		4274
4201	.socket_post_create = smack_socket_post_create,	4275	.socket_post_create = smack_socket_post_create,
		4276	#ifndef CONFIG_SECURITY_SMACK_NETFILTER
4202	.socket_bind = smack_socket_bind,	4277	.socket_bind = smack_socket_bind,
		4278	#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
4203	.socket_connect = smack_socket_connect,	4279	.socket_connect = smack_socket_connect,
4204	.socket_sendmsg = smack_socket_sendmsg,	4280	.socket_sendmsg = smack_socket_sendmsg,
4205	.socket_sock_rcv_skb = smack_socket_sock_rcv_skb,	4281	.socket_sock_rcv_skb = smack_socket_sock_rcv_skb,
@@ -4280,6 +4356,8 @@ static __init int smack_init(void)
4280	if (!security_module_enable(&smack_ops))	4356	if (!security_module_enable(&smack_ops))
4281	return 0;	4357	return 0;
4282		4358
		4359	smack_enabled = 1;
		4360
4283	smack_inode_cache = KMEM_CACHE(inode_smack, 0);	4361	smack_inode_cache = KMEM_CACHE(inode_smack, 0);
4284	if (!smack_inode_cache)	4362	if (!smack_inode_cache)
4285	return -ENOMEM;	4363	return -ENOMEM;


diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c new file mode 100644 index 000000000000..c952632afb0d --- /dev/null +++ b/security/smack/smack_netfilter.c
@@ -0,0 +1,96 @@
		1	/*
		2	* Simplified MAC Kernel (smack) security module
		3	*
		4	* This file contains the Smack netfilter implementation
		5	*
		6	* Author:
		7	* Casey Schaufler <casey@schaufler-ca.com>
		8	*
		9	* Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
		10	* Copyright (C) 2014 Intel Corporation.
		11	*
		12	* This program is free software; you can redistribute it and/or modify
		13	* it under the terms of the GNU General Public License version 2,
		14	* as published by the Free Software Foundation.
		15	*/
		16
		17	#include <linux/netfilter_ipv4.h>
		18	#include <linux/netfilter_ipv6.h>
		19	#include <linux/netdevice.h>
		20	#include "smack.h"
		21
		22	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		23
		24	static unsigned int smack_ipv6_output(const struct nf_hook_ops *ops,
		25	struct sk_buff *skb,
		26	const struct net_device *in,
		27	const struct net_device *out,
		28	int (okfn)(struct sk_buff ))
		29	{
		30	struct socket_smack *ssp;
		31	struct smack_known *skp;
		32
		33	if (skb && skb->sk && skb->sk->sk_security) {
		34	ssp = skb->sk->sk_security;
		35	skp = ssp->smk_out;
		36	skb->secmark = skp->smk_secid;
		37	}
		38
		39	return NF_ACCEPT;
		40	}
		41	#endif /* IPV6 */
		42
		43	static unsigned int smack_ipv4_output(const struct nf_hook_ops *ops,
		44	struct sk_buff *skb,
		45	const struct net_device *in,
		46	const struct net_device *out,
		47	int (okfn)(struct sk_buff ))
		48	{
		49	struct socket_smack *ssp;
		50	struct smack_known *skp;
		51
		52	if (skb && skb->sk && skb->sk->sk_security) {
		53	ssp = skb->sk->sk_security;
		54	skp = ssp->smk_out;
		55	skb->secmark = skp->smk_secid;
		56	}
		57
		58	return NF_ACCEPT;
		59	}
		60
		61	static struct nf_hook_ops smack_nf_ops[] = {
		62	{
		63	.hook = smack_ipv4_output,
		64	.owner = THIS_MODULE,
		65	.pf = NFPROTO_IPV4,
		66	.hooknum = NF_INET_LOCAL_OUT,
		67	.priority = NF_IP_PRI_SELINUX_FIRST,
		68	},
		69	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		70	{
		71	.hook = smack_ipv6_output,
		72	.owner = THIS_MODULE,
		73	.pf = NFPROTO_IPV6,
		74	.hooknum = NF_INET_LOCAL_OUT,
		75	.priority = NF_IP6_PRI_SELINUX_FIRST,
		76	},
		77	#endif /* IPV6 */
		78	};
		79
		80	static int __init smack_nf_ip_init(void)
		81	{
		82	int err;
		83
		84	if (smack_enabled == 0)
		85	return 0;
		86
		87	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
		88
		89	err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
		90	if (err)
		91	pr_info("Smack: nf_register_hooks: error %d\n", err);
		92
		93	return 0;
		94	}
		95
		96	__initcall(smack_nf_ip_init);