>From 1c79c7c413dd3ebd72dbe12e1133037c6ea223af Mon Sep 17 00:00:00 2001
From: Tilman Baumann <tilman.baumann@collax.com>
Date: Thu, 25 Sep 2008 19:07:37 +0200
Subject: [PATCH] SMACK netfilter socket label match


Signed-off-by: Tilman Baumann <tilman.baumann@collax.com>
---
 include/linux/netfilter/Kbuild     |    1 +
 include/linux/netfilter/xt_smack.h |   21 +++++++++
 net/netfilter/Kconfig              |   10 +++++
 net/netfilter/Makefile             |    1 +
 net/netfilter/xt_smack.c           |   79 ++++++++++++++++++++++++++++++++++++
 5 files changed, 112 insertions(+), 0 deletions(-)
 create mode 100644 include/linux/netfilter/xt_smack.h
 create mode 100644 net/netfilter/xt_smack.c

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 3aff513..9c8fffd 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -29,6 +29,7 @@ header-y += xt_mac.h
 header-y += xt_mark.h
 header-y += xt_multiport.h
 header-y += xt_owner.h
+header-y += xt_smack.h
 header-y += xt_pkttype.h
 header-y += xt_rateest.h
 header-y += xt_realm.h
diff --git a/include/linux/netfilter/xt_smack.h b/include/linux/netfilter/xt_smack.h
new file mode 100644
index 0000000..a3a4471
--- /dev/null
+++ b/include/linux/netfilter/xt_smack.h
@@ -0,0 +1,21 @@
+#ifndef _XT_SMACK_MATCH_H
+#define _XT_SMACK_MATCH_H
+
+#define SMK_MAXLEN      23
+#define SMK_LABELLEN    (SMK_MAXLEN+1)
+
+enum {
+	XT_SMACK_IN   = 1 << 0,
+	XT_SMACK_OUT  = 1 << 1,
+	XT_SMACK_PEER = 1 << 2,
+};
+
+struct xt_smack_match_info {
+	u_int8_t	mask, invert;
+	char    	match_in[SMK_LABELLEN];
+	char    	match_out[SMK_LABELLEN];
+	char    	match_peer_packet[SMK_LABELLEN];
+
+};
+
+#endif /* _XT_SMACK_MATCH_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ee898e7..e03ff69 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -650,6 +650,16 @@ config NETFILTER_XT_MATCH_OWNER
 	based on who created the socket: the user or group. It is also
 	possible to check whether a socket actually exists.
 
+config NETFILTER_XT_MATCH_SMACK
+	tristate '"smack" socket label match support'
+	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
+	depends on SECURITY_SMACK
+	help
+	  SMACK label matching allows you to match locally generated packets
+	  based on the smack labels of the socket which is inherited from the
+	  associated process and allows matching on the TCP peers CIPSO label.
+
 config NETFILTER_XT_MATCH_POLICY
 	tristate 'IPsec "policy" match support'
 	depends on NETFILTER_XTABLES && XFRM
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 3bd2cc5..dc2efe5 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -83,3 +83,4 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_SMACK) += xt_smack.o
diff --git a/net/netfilter/xt_smack.c b/net/netfilter/xt_smack.c
new file mode 100644
index 0000000..b41a559
--- /dev/null
+++ b/net/netfilter/xt_smack.c
@@ -0,0 +1,79 @@
+/*
+ * Kernel module to match against SMACK labels
+ *
+ * (C) 2008 Tilman Baumann <tilman.baumann@collax.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_smack.h>
+#include <../security/smack/smack.h>
+
+
+static bool
+smack_mt(const struct sk_buff *skb, const struct net_device *in,
+         const struct net_device *out, const struct xt_match *match,
+         const void *matchinfo, int offset, unsigned int protoff,
+         bool *hotdrop)
+{
+	const struct xt_smack_match_info *info = matchinfo;
+	struct socket_smack *smacks;
+
+	if (skb->sk == NULL || skb->sk->sk_socket == NULL)
+		return (info->mask ^ info->invert) == 0;
+	smacks = skb->sk->sk_security;
+	if (smacks == NULL){
+		 return (info->mask ^ info->invert);
+	}
+
+	if(info->mask & XT_SMACK_IN){
+		return ! ((!strncmp(smacks->smk_in, info->match_in, SMK_LABELLEN)) ^
+			(info->invert & XT_SMACK_IN));
+	}
+	
+	if(info->mask & XT_SMACK_OUT){
+		return ! ((!strncmp(smacks->smk_in, info->match_out, SMK_LABELLEN)) ^
+			(info->invert & XT_SMACK_OUT));
+	}
+
+	if(info->mask & XT_SMACK_PEER){
+		return ! ((!strncmp(smacks->smk_packet, info->match_peer_packet, SMK_LABELLEN)) ^
+			(info->invert & XT_SMACK_IN));
+	}
+	return true;
+}
+
+
+static struct xt_match smack_mt_reg[] __read_mostly = {
+	{
+		.name       = "smack",
+		.match      = smack_mt,
+		.matchsize  = sizeof(struct xt_smack_match_info),
+		.family     = AF_INET,
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init smack_mt_init(void)
+{
+	return xt_register_matches(smack_mt_reg, ARRAY_SIZE(smack_mt_reg));
+}
+
+static void __exit smack_mt_exit(void)
+{
+	xt_unregister_matches(smack_mt_reg, ARRAY_SIZE(smack_mt_reg));
+}
+
+module_init(smack_mt_init);
+module_exit(smack_mt_exit);
+MODULE_AUTHOR("Tilman Baumann <tilman@baumann.name>");
+MODULE_DESCRIPTION("Xtables: socket SMACK label matching");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_smack");
+MODULE_ALIAS("ip6t_smack");
-- 
1.5.6.3