aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss/services.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/ss/services.c')
-rw-r--r--security/selinux/ss/services.c45
1 files changed, 43 insertions, 2 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 910afa1ffc3..835b485b2af 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2423,6 +2423,45 @@ netlbl_socket_setsid_return:
2423} 2423}
2424 2424
2425/** 2425/**
2426 * selinux_netlbl_sk_security_init - Setup the NetLabel fields
2427 * @ssec: the sk_security_struct
2428 * @family: the socket family
2429 *
2430 * Description:
2431 * Called when a new sk_security_struct is allocated to initialize the NetLabel
2432 * fields.
2433 *
2434 */
2435void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
2436 int family)
2437{
2438 if (family == PF_INET)
2439 ssec->nlbl_state = NLBL_REQUIRE;
2440 else
2441 ssec->nlbl_state = NLBL_UNSET;
2442}
2443
2444/**
2445 * selinux_netlbl_sk_clone_security - Copy the NetLabel fields
2446 * @ssec: the original sk_security_struct
2447 * @newssec: the cloned sk_security_struct
2448 *
2449 * Description:
2450 * Clone the NetLabel specific sk_security_struct fields from @ssec to
2451 * @newssec.
2452 *
2453 */
2454void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
2455 struct sk_security_struct *newssec)
2456{
2457 newssec->sclass = ssec->sclass;
2458 if (ssec->nlbl_state != NLBL_UNSET)
2459 newssec->nlbl_state = NLBL_REQUIRE;
2460 else
2461 newssec->nlbl_state = NLBL_UNSET;
2462}
2463
2464/**
2426 * selinux_netlbl_socket_post_create - Label a socket using NetLabel 2465 * selinux_netlbl_socket_post_create - Label a socket using NetLabel
2427 * @sock: the socket to label 2466 * @sock: the socket to label
2428 * @sock_family: the socket family 2467 * @sock_family: the socket family
@@ -2440,10 +2479,11 @@ int selinux_netlbl_socket_post_create(struct socket *sock,
2440 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2479 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
2441 struct sk_security_struct *sksec = sock->sk->sk_security; 2480 struct sk_security_struct *sksec = sock->sk->sk_security;
2442 2481
2482 sksec->sclass = isec->sclass;
2483
2443 if (sock_family != PF_INET) 2484 if (sock_family != PF_INET)
2444 return 0; 2485 return 0;
2445 2486
2446 sksec->sclass = isec->sclass;
2447 sksec->nlbl_state = NLBL_REQUIRE; 2487 sksec->nlbl_state = NLBL_REQUIRE;
2448 return selinux_netlbl_socket_setsid(sock, sid); 2488 return selinux_netlbl_socket_setsid(sock, sid);
2449} 2489}
@@ -2463,12 +2503,13 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
2463 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2503 struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
2464 struct sk_security_struct *sksec = sk->sk_security; 2504 struct sk_security_struct *sksec = sk->sk_security;
2465 2505
2506 sksec->sclass = isec->sclass;
2507
2466 if (sk->sk_family != PF_INET) 2508 if (sk->sk_family != PF_INET)
2467 return; 2509 return;
2468 2510
2469 sksec->nlbl_state = NLBL_REQUIRE; 2511 sksec->nlbl_state = NLBL_REQUIRE;
2470 sksec->peer_sid = sksec->sid; 2512 sksec->peer_sid = sksec->sid;
2471 sksec->sclass = isec->sclass;
2472 2513
2473 /* Try to set the NetLabel on the socket to save time later, if we fail 2514 /* Try to set the NetLabel on the socket to save time later, if we fail
2474 * here we will pick up the pieces in later calls to 2515 * here we will pick up the pieces in later calls to