calipso: Allow the lsm to label the skbuff directly.

In some cases, the lsm needs to add the label to the skbuff directly. A NF_INET_LOCAL_OUT IPv6 hook is added to selinux to match the IPv4 behaviour. This allows selinux to label the skbuffs that it requires. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Huw Davies <huw@codeweavers.com> 2016-06-27 15:06:15 -0400
committer: Paul Moore <paul@paul-moore.com> 2016-06-27 15:06:15 -0400
commit: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 (patch)
tree: cf6e68541ba82eb7c4b11a7ba563f423060d8b46 /security/selinux
parent: 0868383b822e4d8ebde980c7aac973a6aa81a3ec (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a00ab81ab719..cb7c5c8028e7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5063,6 +5063,15 @@ static unsigned int selinux_ipv4_output(void *priv,
        return selinux_ip_output(skb, PF_INET);
 }
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static unsigned int selinux_ipv6_output(void *priv,
+                                        struct sk_buff *skb,
+                                        const struct nf_hook_state *state)
+{
+        return selinux_ip_output(skb, PF_INET6);
+}
+#endif  /* IPV6 */
 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
                                                int ifindex,
                                                u16 family)
@@ -6297,6 +6306,12 @@ static struct nf_hook_ops selinux_nf_ops[] = {
                .hooknum =      NF_INET_FORWARD,
                .priority =     NF_IP6_PRI_SELINUX_FIRST,
        },
+        {
+                .hook =         selinux_ipv6_output,
+                .pf =           NFPROTO_IPV6,
+                .hooknum =      NF_INET_LOCAL_OUT,
+                .priority =     NF_IP6_PRI_SELINUX_FIRST,
+        },
 #endif  /* IPV6 */
 };
author	Huw Davies <huw@codeweavers.com>	2016-06-27 15:06:15 -0400
committer	Paul Moore <paul@paul-moore.com>	2016-06-27 15:06:15 -0400
commit	2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 (patch)
tree	cf6e68541ba82eb7c4b11a7ba563f423060d8b46 /security/selinux
parent	0868383b822e4d8ebde980c7aac973a6aa81a3ec (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a00ab81ab719..cb7c5c8028e7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -5063,6 +5063,15 @@ static unsigned int selinux_ipv4_output(void *priv,
5063	return selinux_ip_output(skb, PF_INET);	5063	return selinux_ip_output(skb, PF_INET);
5064	}	5064	}
5065		5065
		5066	#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		5067	static unsigned int selinux_ipv6_output(void *priv,
		5068	struct sk_buff *skb,
		5069	const struct nf_hook_state *state)
		5070	{
		5071	return selinux_ip_output(skb, PF_INET6);
		5072	}
		5073	#endif /* IPV6 */
		5074
5066	static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,	5075	static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
5067	int ifindex,	5076	int ifindex,
5068	u16 family)	5077	u16 family)
@@ -6297,6 +6306,12 @@ static struct nf_hook_ops selinux_nf_ops[] = {
6297	.hooknum = NF_INET_FORWARD,	6306	.hooknum = NF_INET_FORWARD,
6298	.priority = NF_IP6_PRI_SELINUX_FIRST,	6307	.priority = NF_IP6_PRI_SELINUX_FIRST,
6299	},	6308	},
		6309	{
		6310	.hook = selinux_ipv6_output,
		6311	.pf = NFPROTO_IPV6,
		6312	.hooknum = NF_INET_LOCAL_OUT,
		6313	.priority = NF_IP6_PRI_SELINUX_FIRST,
		6314	},
6300	#endif /* IPV6 */	6315	#endif /* IPV6 */
6301	};	6316	};
6302		6317