aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@TrustedCS.com>2006-07-25 02:32:50 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-09-22 17:53:29 -0400
commit4237c75c0a35535d7f9f2bfeeb4b4df1e068a0bf (patch)
tree02adcb6fe6c346a8b99cf161ba5233ed1e572727 /include
parentcb969f072b6d67770b559617f14e767f47e77ece (diff)
[MLSXFRM]: Auto-labeling of child sockets
This automatically labels the TCP, Unix stream, and dccp child sockets as well as openreqs to be at the same MLS level as the peer. This will result in the selection of appropriately labeled IPSec Security Associations. This also uses the sock's sid (as opposed to the isec sid) in SELinux enforcement of secmark in rcv_skb and postroute_last hooks. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/linux/security.h55
-rw-r--r--include/net/request_sock.h1
-rw-r--r--include/net/sock.h1
3 files changed, 57 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 8e3dc6c51a6..bb4c80fdfe7 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -90,6 +90,7 @@ extern int cap_netlink_recv(struct sk_buff *skb, int cap);
90struct nfsctl_arg; 90struct nfsctl_arg;
91struct sched_param; 91struct sched_param;
92struct swap_info_struct; 92struct swap_info_struct;
93struct request_sock;
93 94
94/* bprm_apply_creds unsafe reasons */ 95/* bprm_apply_creds unsafe reasons */
95#define LSM_UNSAFE_SHARE 1 96#define LSM_UNSAFE_SHARE 1
@@ -819,6 +820,14 @@ struct swap_info_struct;
819 * @sk_getsecid: 820 * @sk_getsecid:
820 * Retrieve the LSM-specific secid for the sock to enable caching of network 821 * Retrieve the LSM-specific secid for the sock to enable caching of network
821 * authorizations. 822 * authorizations.
823 * @sock_graft:
824 * Sets the socket's isec sid to the sock's sid.
825 * @inet_conn_request:
826 * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
827 * @inet_csk_clone:
828 * Sets the new child socket's sid to the openreq sid.
829 * @req_classify_flow:
830 * Sets the flow's sid to the openreq sid.
822 * 831 *
823 * Security hooks for XFRM operations. 832 * Security hooks for XFRM operations.
824 * 833 *
@@ -1358,6 +1367,11 @@ struct security_operations {
1358 void (*sk_free_security) (struct sock *sk); 1367 void (*sk_free_security) (struct sock *sk);
1359 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); 1368 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
1360 void (*sk_getsecid) (struct sock *sk, u32 *secid); 1369 void (*sk_getsecid) (struct sock *sk, u32 *secid);
1370 void (*sock_graft)(struct sock* sk, struct socket *parent);
1371 int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
1372 struct request_sock *req);
1373 void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
1374 void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
1361#endif /* CONFIG_SECURITY_NETWORK */ 1375#endif /* CONFIG_SECURITY_NETWORK */
1362 1376
1363#ifdef CONFIG_SECURITY_NETWORK_XFRM 1377#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2926,6 +2940,28 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
2926{ 2940{
2927 security_ops->sk_getsecid(sk, &fl->secid); 2941 security_ops->sk_getsecid(sk, &fl->secid);
2928} 2942}
2943
2944static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
2945{
2946 security_ops->req_classify_flow(req, fl);
2947}
2948
2949static inline void security_sock_graft(struct sock* sk, struct socket *parent)
2950{
2951 security_ops->sock_graft(sk, parent);
2952}
2953
2954static inline int security_inet_conn_request(struct sock *sk,
2955 struct sk_buff *skb, struct request_sock *req)
2956{
2957 return security_ops->inet_conn_request(sk, skb, req);
2958}
2959
2960static inline void security_inet_csk_clone(struct sock *newsk,
2961 const struct request_sock *req)
2962{
2963 security_ops->inet_csk_clone(newsk, req);
2964}
2929#else /* CONFIG_SECURITY_NETWORK */ 2965#else /* CONFIG_SECURITY_NETWORK */
2930static inline int security_unix_stream_connect(struct socket * sock, 2966static inline int security_unix_stream_connect(struct socket * sock,
2931 struct socket * other, 2967 struct socket * other,
@@ -3055,6 +3091,25 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
3055static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) 3091static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
3056{ 3092{
3057} 3093}
3094
3095static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
3096{
3097}
3098
3099static inline void security_sock_graft(struct sock* sk, struct socket *parent)
3100{
3101}
3102
3103static inline int security_inet_conn_request(struct sock *sk,
3104 struct sk_buff *skb, struct request_sock *req)
3105{
3106 return 0;
3107}
3108
3109static inline void security_inet_csk_clone(struct sock *newsk,
3110 const struct request_sock *req)
3111{
3112}
3058#endif /* CONFIG_SECURITY_NETWORK */ 3113#endif /* CONFIG_SECURITY_NETWORK */
3059 3114
3060#ifdef CONFIG_SECURITY_NETWORK_XFRM 3115#ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index c5d7f920c35..8e165ca16bd 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h
@@ -53,6 +53,7 @@ struct request_sock {
53 unsigned long expires; 53 unsigned long expires;
54 struct request_sock_ops *rsk_ops; 54 struct request_sock_ops *rsk_ops;
55 struct sock *sk; 55 struct sock *sk;
56 u32 secid;
56}; 57};
57 58
58static inline struct request_sock *reqsk_alloc(struct request_sock_ops *ops) 59static inline struct request_sock *reqsk_alloc(struct request_sock_ops *ops)
diff --git a/include/net/sock.h b/include/net/sock.h
index 91cdceb3c02..337ebec84c7 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -969,6 +969,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent)
969 sk->sk_sleep = &parent->wait; 969 sk->sk_sleep = &parent->wait;
970 parent->sk = sk; 970 parent->sk = sk;
971 sk->sk_socket = parent; 971 sk->sk_socket = parent;
972 security_sock_graft(sk, parent);
972 write_unlock_bh(&sk->sk_callback_lock); 973 write_unlock_bh(&sk->sk_callback_lock);
973} 974}
974 975