diff options
| author | James Morris <james.l.morris@oracle.com> | 2015-11-23 06:46:28 -0500 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2015-11-23 06:46:28 -0500 |
| commit | ebd68df3f24b318d391d15c458d6f43f340ba36a (patch) | |
| tree | f0277bc4b853abe5db1d30fa4e10b05bba7f2ac5 /security/selinux/hooks.c | |
| parent | e42852bf88144affc227884b62637118ba74b783 (diff) | |
| parent | 1ec218373b8ebda821aec00bb156a9c94fad9cd4 (diff) | |
Sync to Linus v4.4-rc2 for LSM developers.
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 29 |
1 files changed, 13 insertions, 16 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 305399225010..d0cfaa9f19d0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -4864,7 +4864,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, | |||
| 4864 | return NF_ACCEPT; | 4864 | return NF_ACCEPT; |
| 4865 | } | 4865 | } |
| 4866 | 4866 | ||
| 4867 | static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops, | 4867 | static unsigned int selinux_ipv4_forward(void *priv, |
| 4868 | struct sk_buff *skb, | 4868 | struct sk_buff *skb, |
| 4869 | const struct nf_hook_state *state) | 4869 | const struct nf_hook_state *state) |
| 4870 | { | 4870 | { |
| @@ -4872,7 +4872,7 @@ static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops, | |||
| 4872 | } | 4872 | } |
| 4873 | 4873 | ||
| 4874 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 4874 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| 4875 | static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops, | 4875 | static unsigned int selinux_ipv6_forward(void *priv, |
| 4876 | struct sk_buff *skb, | 4876 | struct sk_buff *skb, |
| 4877 | const struct nf_hook_state *state) | 4877 | const struct nf_hook_state *state) |
| 4878 | { | 4878 | { |
| @@ -4896,7 +4896,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, | |||
| 4896 | if (sk) { | 4896 | if (sk) { |
| 4897 | struct sk_security_struct *sksec; | 4897 | struct sk_security_struct *sksec; |
| 4898 | 4898 | ||
| 4899 | if (sk->sk_state == TCP_LISTEN) | 4899 | if (sk_listener(sk)) |
| 4900 | /* if the socket is the listening state then this | 4900 | /* if the socket is the listening state then this |
| 4901 | * packet is a SYN-ACK packet which means it needs to | 4901 | * packet is a SYN-ACK packet which means it needs to |
| 4902 | * be labeled based on the connection/request_sock and | 4902 | * be labeled based on the connection/request_sock and |
| @@ -4922,7 +4922,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb, | |||
| 4922 | return NF_ACCEPT; | 4922 | return NF_ACCEPT; |
| 4923 | } | 4923 | } |
| 4924 | 4924 | ||
| 4925 | static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops, | 4925 | static unsigned int selinux_ipv4_output(void *priv, |
| 4926 | struct sk_buff *skb, | 4926 | struct sk_buff *skb, |
| 4927 | const struct nf_hook_state *state) | 4927 | const struct nf_hook_state *state) |
| 4928 | { | 4928 | { |
| @@ -4933,7 +4933,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | |||
| 4933 | int ifindex, | 4933 | int ifindex, |
| 4934 | u16 family) | 4934 | u16 family) |
| 4935 | { | 4935 | { |
| 4936 | struct sock *sk = skb->sk; | 4936 | struct sock *sk = skb_to_full_sk(skb); |
| 4937 | struct sk_security_struct *sksec; | 4937 | struct sk_security_struct *sksec; |
| 4938 | struct common_audit_data ad; | 4938 | struct common_audit_data ad; |
| 4939 | struct lsm_network_audit net = {0,}; | 4939 | struct lsm_network_audit net = {0,}; |
| @@ -4988,7 +4988,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, | |||
| 4988 | if (!secmark_active && !peerlbl_active) | 4988 | if (!secmark_active && !peerlbl_active) |
| 4989 | return NF_ACCEPT; | 4989 | return NF_ACCEPT; |
| 4990 | 4990 | ||
| 4991 | sk = skb->sk; | 4991 | sk = skb_to_full_sk(skb); |
| 4992 | 4992 | ||
| 4993 | #ifdef CONFIG_XFRM | 4993 | #ifdef CONFIG_XFRM |
| 4994 | /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec | 4994 | /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec |
| @@ -5003,7 +5003,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, | |||
| 5003 | * unfortunately, this means more work, but it is only once per | 5003 | * unfortunately, this means more work, but it is only once per |
| 5004 | * connection. */ | 5004 | * connection. */ |
| 5005 | if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && | 5005 | if (skb_dst(skb) != NULL && skb_dst(skb)->xfrm != NULL && |
| 5006 | !(sk != NULL && sk->sk_state == TCP_LISTEN)) | 5006 | !(sk && sk_listener(sk))) |
| 5007 | return NF_ACCEPT; | 5007 | return NF_ACCEPT; |
| 5008 | #endif | 5008 | #endif |
| 5009 | 5009 | ||
| @@ -5020,7 +5020,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, | |||
| 5020 | secmark_perm = PACKET__SEND; | 5020 | secmark_perm = PACKET__SEND; |
| 5021 | peer_sid = SECINITSID_KERNEL; | 5021 | peer_sid = SECINITSID_KERNEL; |
| 5022 | } | 5022 | } |
| 5023 | } else if (sk->sk_state == TCP_LISTEN) { | 5023 | } else if (sk_listener(sk)) { |
| 5024 | /* Locally generated packet but the associated socket is in the | 5024 | /* Locally generated packet but the associated socket is in the |
| 5025 | * listening state which means this is a SYN-ACK packet. In | 5025 | * listening state which means this is a SYN-ACK packet. In |
| 5026 | * this particular case the correct security label is assigned | 5026 | * this particular case the correct security label is assigned |
| @@ -5031,7 +5031,9 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, | |||
| 5031 | * selinux_inet_conn_request(). See also selinux_ip_output() | 5031 | * selinux_inet_conn_request(). See also selinux_ip_output() |
| 5032 | * for similar problems. */ | 5032 | * for similar problems. */ |
| 5033 | u32 skb_sid; | 5033 | u32 skb_sid; |
| 5034 | struct sk_security_struct *sksec = sk->sk_security; | 5034 | struct sk_security_struct *sksec; |
| 5035 | |||
| 5036 | sksec = sk->sk_security; | ||
| 5035 | if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) | 5037 | if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) |
| 5036 | return NF_DROP; | 5038 | return NF_DROP; |
| 5037 | /* At this point, if the returned skb peerlbl is SECSID_NULL | 5039 | /* At this point, if the returned skb peerlbl is SECSID_NULL |
| @@ -5097,7 +5099,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, | |||
| 5097 | return NF_ACCEPT; | 5099 | return NF_ACCEPT; |
| 5098 | } | 5100 | } |
| 5099 | 5101 | ||
| 5100 | static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops, | 5102 | static unsigned int selinux_ipv4_postroute(void *priv, |
| 5101 | struct sk_buff *skb, | 5103 | struct sk_buff *skb, |
| 5102 | const struct nf_hook_state *state) | 5104 | const struct nf_hook_state *state) |
| 5103 | { | 5105 | { |
| @@ -5105,7 +5107,7 @@ static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops, | |||
| 5105 | } | 5107 | } |
| 5106 | 5108 | ||
| 5107 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 5109 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| 5108 | static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops, | 5110 | static unsigned int selinux_ipv6_postroute(void *priv, |
| 5109 | struct sk_buff *skb, | 5111 | struct sk_buff *skb, |
| 5110 | const struct nf_hook_state *state) | 5112 | const struct nf_hook_state *state) |
| 5111 | { | 5113 | { |
| @@ -6128,21 +6130,18 @@ security_initcall(selinux_init); | |||
| 6128 | static struct nf_hook_ops selinux_nf_ops[] = { | 6130 | static struct nf_hook_ops selinux_nf_ops[] = { |
| 6129 | { | 6131 | { |
| 6130 | .hook = selinux_ipv4_postroute, | 6132 | .hook = selinux_ipv4_postroute, |
| 6131 | .owner = THIS_MODULE, | ||
| 6132 | .pf = NFPROTO_IPV4, | 6133 | .pf = NFPROTO_IPV4, |
| 6133 | .hooknum = NF_INET_POST_ROUTING, | 6134 | .hooknum = NF_INET_POST_ROUTING, |
| 6134 | .priority = NF_IP_PRI_SELINUX_LAST, | 6135 | .priority = NF_IP_PRI_SELINUX_LAST, |
| 6135 | }, | 6136 | }, |
| 6136 | { | 6137 | { |
| 6137 | .hook = selinux_ipv4_forward, | 6138 | .hook = selinux_ipv4_forward, |
| 6138 | .owner = THIS_MODULE, | ||
| 6139 | .pf = NFPROTO_IPV4, | 6139 | .pf = NFPROTO_IPV4, |
| 6140 | .hooknum = NF_INET_FORWARD, | 6140 | .hooknum = NF_INET_FORWARD, |
| 6141 | .priority = NF_IP_PRI_SELINUX_FIRST, | 6141 | .priority = NF_IP_PRI_SELINUX_FIRST, |
| 6142 | }, | 6142 | }, |
| 6143 | { | 6143 | { |
| 6144 | .hook = selinux_ipv4_output, | 6144 | .hook = selinux_ipv4_output, |
| 6145 | .owner = THIS_MODULE, | ||
| 6146 | .pf = NFPROTO_IPV4, | 6145 | .pf = NFPROTO_IPV4, |
| 6147 | .hooknum = NF_INET_LOCAL_OUT, | 6146 | .hooknum = NF_INET_LOCAL_OUT, |
| 6148 | .priority = NF_IP_PRI_SELINUX_FIRST, | 6147 | .priority = NF_IP_PRI_SELINUX_FIRST, |
| @@ -6150,14 +6149,12 @@ static struct nf_hook_ops selinux_nf_ops[] = { | |||
| 6150 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) | 6149 | #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) |
| 6151 | { | 6150 | { |
| 6152 | .hook = selinux_ipv6_postroute, | 6151 | .hook = selinux_ipv6_postroute, |
| 6153 | .owner = THIS_MODULE, | ||
| 6154 | .pf = NFPROTO_IPV6, | 6152 | .pf = NFPROTO_IPV6, |
| 6155 | .hooknum = NF_INET_POST_ROUTING, | 6153 | .hooknum = NF_INET_POST_ROUTING, |
| 6156 | .priority = NF_IP6_PRI_SELINUX_LAST, | 6154 | .priority = NF_IP6_PRI_SELINUX_LAST, |
| 6157 | }, | 6155 | }, |
| 6158 | { | 6156 | { |
| 6159 | .hook = selinux_ipv6_forward, | 6157 | .hook = selinux_ipv6_forward, |
| 6160 | .owner = THIS_MODULE, | ||
| 6161 | .pf = NFPROTO_IPV6, | 6158 | .pf = NFPROTO_IPV6, |
| 6162 | .hooknum = NF_INET_FORWARD, | 6159 | .hooknum = NF_INET_FORWARD, |
| 6163 | .priority = NF_IP6_PRI_SELINUX_FIRST, | 6160 | .priority = NF_IP6_PRI_SELINUX_FIRST, |