Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
9d5a5f65
Commit
9d5a5f65
authored
Jan 22, 2015
by
James Morris
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'smack-for-3.20-rebased' of
git://git.gitorious.org/smack-next/kernel
into next
parents
743410a0
6d1cff2a
Changes
5
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
267 additions
and
52 deletions
+267
-52
security/smack/Kconfig
security/smack/Kconfig
+12
-0
security/smack/Makefile
security/smack/Makefile
+1
-0
security/smack/smack.h
security/smack/smack.h
+11
-0
security/smack/smack_lsm.c
security/smack/smack_lsm.c
+147
-52
security/smack/smack_netfilter.c
security/smack/smack_netfilter.c
+96
-0
No files found.
security/smack/Kconfig
View file @
9d5a5f65
...
@@ -28,3 +28,15 @@ config SECURITY_SMACK_BRINGUP
...
@@ -28,3 +28,15 @@ config SECURITY_SMACK_BRINGUP
access rule set once the behavior is well understood.
access rule set once the behavior is well understood.
This is a superior mechanism to the oft abused
This is a superior mechanism to the oft abused
"permissive" mode of other systems.
"permissive" mode of other systems.
If you are unsure how to answer this question, answer N.
config SECURITY_SMACK_NETFILTER
bool "Packet marking using secmarks for netfilter"
depends on SECURITY_SMACK
depends on NETWORK_SECMARK
depends on NETFILTER
default n
help
This enables security marking of network packets using
Smack labels.
If you are unsure how to answer this question, answer N.
security/smack/Makefile
View file @
9d5a5f65
...
@@ -5,3 +5,4 @@
...
@@ -5,3 +5,4 @@
obj-$(CONFIG_SECURITY_SMACK)
:=
smack.o
obj-$(CONFIG_SECURITY_SMACK)
:=
smack.o
smack-y
:=
smack_lsm.o smack_access.o smackfs.o
smack-y
:=
smack_lsm.o smack_access.o smackfs.o
smack-$(CONFIG_NETFILTER)
+=
smack_netfilter.o
security/smack/smack.h
View file @
9d5a5f65
...
@@ -248,6 +248,7 @@ struct smack_known *smk_find_entry(const char *);
...
@@ -248,6 +248,7 @@ struct smack_known *smk_find_entry(const char *);
/*
/*
* Shared data.
* Shared data.
*/
*/
extern
int
smack_enabled
;
extern
int
smack_cipso_direct
;
extern
int
smack_cipso_direct
;
extern
int
smack_cipso_mapped
;
extern
int
smack_cipso_mapped
;
extern
struct
smack_known
*
smack_net_ambient
;
extern
struct
smack_known
*
smack_net_ambient
;
...
@@ -298,6 +299,16 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
...
@@ -298,6 +299,16 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
return
tsp
->
smk_task
;
return
tsp
->
smk_task
;
}
}
static
inline
struct
smack_known
*
smk_of_task_struct
(
const
struct
task_struct
*
t
)
{
struct
smack_known
*
skp
;
rcu_read_lock
();
skp
=
smk_of_task
(
__task_cred
(
t
)
->
security
);
rcu_read_unlock
();
return
skp
;
}
/*
/*
* Present a pointer to the forked smack label entry in an task blob.
* Present a pointer to the forked smack label entry in an task blob.
*/
*/
...
...
security/smack/smack_lsm.c
View file @
9d5a5f65
This diff is collapsed.
Click to expand it.
security/smack/smack_netfilter.c
0 → 100644
View file @
9d5a5f65
/*
* Simplified MAC Kernel (smack) security module
*
* This file contains the Smack netfilter implementation
*
* Author:
* Casey Schaufler <casey@schaufler-ca.com>
*
* Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
* Copyright (C) 2014 Intel Corporation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation.
*/
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netdevice.h>
#include "smack.h"
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
static
unsigned
int
smack_ipv6_output
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
struct
socket_smack
*
ssp
;
struct
smack_known
*
skp
;
if
(
skb
&&
skb
->
sk
&&
skb
->
sk
->
sk_security
)
{
ssp
=
skb
->
sk
->
sk_security
;
skp
=
ssp
->
smk_out
;
skb
->
secmark
=
skp
->
smk_secid
;
}
return
NF_ACCEPT
;
}
#endif
/* IPV6 */
static
unsigned
int
smack_ipv4_output
(
const
struct
nf_hook_ops
*
ops
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
struct
socket_smack
*
ssp
;
struct
smack_known
*
skp
;
if
(
skb
&&
skb
->
sk
&&
skb
->
sk
->
sk_security
)
{
ssp
=
skb
->
sk
->
sk_security
;
skp
=
ssp
->
smk_out
;
skb
->
secmark
=
skp
->
smk_secid
;
}
return
NF_ACCEPT
;
}
static
struct
nf_hook_ops
smack_nf_ops
[]
=
{
{
.
hook
=
smack_ipv4_output
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP_PRI_SELINUX_FIRST
,
},
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
{
.
hook
=
smack_ipv6_output
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP6_PRI_SELINUX_FIRST
,
},
#endif
/* IPV6 */
};
static
int
__init
smack_nf_ip_init
(
void
)
{
int
err
;
if
(
smack_enabled
==
0
)
return
0
;
printk
(
KERN_DEBUG
"Smack: Registering netfilter hooks
\n
"
);
err
=
nf_register_hooks
(
smack_nf_ops
,
ARRAY_SIZE
(
smack_nf_ops
));
if
(
err
)
pr_info
(
"Smack: nf_register_hooks: error %d
\n
"
,
err
);
return
0
;
}
__initcall
(
smack_nf_ip_init
);
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment