diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 10 | ||||
-rw-r--r-- | security/selinux/netlink.c | 17 |
2 files changed, 17 insertions, 10 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9292a8971e6..689fe2d2216 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -5762,21 +5762,21 @@ static struct nf_hook_ops selinux_ipv4_ops[] = { | |||
5762 | { | 5762 | { |
5763 | .hook = selinux_ipv4_postroute, | 5763 | .hook = selinux_ipv4_postroute, |
5764 | .owner = THIS_MODULE, | 5764 | .owner = THIS_MODULE, |
5765 | .pf = PF_INET, | 5765 | .pf = NFPROTO_IPV4, |
5766 | .hooknum = NF_INET_POST_ROUTING, | 5766 | .hooknum = NF_INET_POST_ROUTING, |
5767 | .priority = NF_IP_PRI_SELINUX_LAST, | 5767 | .priority = NF_IP_PRI_SELINUX_LAST, |
5768 | }, | 5768 | }, |
5769 | { | 5769 | { |
5770 | .hook = selinux_ipv4_forward, | 5770 | .hook = selinux_ipv4_forward, |
5771 | .owner = THIS_MODULE, | 5771 | .owner = THIS_MODULE, |
5772 | .pf = PF_INET, | 5772 | .pf = NFPROTO_IPV4, |
5773 | .hooknum = NF_INET_FORWARD, | 5773 | .hooknum = NF_INET_FORWARD, |
5774 | .priority = NF_IP_PRI_SELINUX_FIRST, | 5774 | .priority = NF_IP_PRI_SELINUX_FIRST, |
5775 | }, | 5775 | }, |
5776 | { | 5776 | { |
5777 | .hook = selinux_ipv4_output, | 5777 | .hook = selinux_ipv4_output, |
5778 | .owner = THIS_MODULE, | 5778 | .owner = THIS_MODULE, |
5779 | .pf = PF_INET, | 5779 | .pf = NFPROTO_IPV4, |
5780 | .hooknum = NF_INET_LOCAL_OUT, | 5780 | .hooknum = NF_INET_LOCAL_OUT, |
5781 | .priority = NF_IP_PRI_SELINUX_FIRST, | 5781 | .priority = NF_IP_PRI_SELINUX_FIRST, |
5782 | } | 5782 | } |
@@ -5788,14 +5788,14 @@ static struct nf_hook_ops selinux_ipv6_ops[] = { | |||
5788 | { | 5788 | { |
5789 | .hook = selinux_ipv6_postroute, | 5789 | .hook = selinux_ipv6_postroute, |
5790 | .owner = THIS_MODULE, | 5790 | .owner = THIS_MODULE, |
5791 | .pf = PF_INET6, | 5791 | .pf = NFPROTO_IPV6, |
5792 | .hooknum = NF_INET_POST_ROUTING, | 5792 | .hooknum = NF_INET_POST_ROUTING, |
5793 | .priority = NF_IP6_PRI_SELINUX_LAST, | 5793 | .priority = NF_IP6_PRI_SELINUX_LAST, |
5794 | }, | 5794 | }, |
5795 | { | 5795 | { |
5796 | .hook = selinux_ipv6_forward, | 5796 | .hook = selinux_ipv6_forward, |
5797 | .owner = THIS_MODULE, | 5797 | .owner = THIS_MODULE, |
5798 | .pf = PF_INET6, | 5798 | .pf = NFPROTO_IPV6, |
5799 | .hooknum = NF_INET_FORWARD, | 5799 | .hooknum = NF_INET_FORWARD, |
5800 | .priority = NF_IP6_PRI_SELINUX_FIRST, | 5800 | .priority = NF_IP6_PRI_SELINUX_FIRST, |
5801 | } | 5801 | } |
diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c index 161e01a6c7e..8a77725423e 100644 --- a/security/selinux/netlink.c +++ b/security/selinux/netlink.c | |||
@@ -19,6 +19,7 @@ | |||
19 | #include <linux/netlink.h> | 19 | #include <linux/netlink.h> |
20 | #include <linux/selinux_netlink.h> | 20 | #include <linux/selinux_netlink.h> |
21 | #include <net/net_namespace.h> | 21 | #include <net/net_namespace.h> |
22 | #include <net/netlink.h> | ||
22 | 23 | ||
23 | #include "security.h" | 24 | #include "security.h" |
24 | 25 | ||
@@ -47,7 +48,7 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void * | |||
47 | { | 48 | { |
48 | switch (msgtype) { | 49 | switch (msgtype) { |
49 | case SELNL_MSG_SETENFORCE: { | 50 | case SELNL_MSG_SETENFORCE: { |
50 | struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); | 51 | struct selnl_msg_setenforce *msg = nlmsg_data(nlh); |
51 | 52 | ||
52 | memset(msg, 0, len); | 53 | memset(msg, 0, len); |
53 | msg->val = *((int *)data); | 54 | msg->val = *((int *)data); |
@@ -55,7 +56,7 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void * | |||
55 | } | 56 | } |
56 | 57 | ||
57 | case SELNL_MSG_POLICYLOAD: { | 58 | case SELNL_MSG_POLICYLOAD: { |
58 | struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); | 59 | struct selnl_msg_policyload *msg = nlmsg_data(nlh); |
59 | 60 | ||
60 | memset(msg, 0, len); | 61 | memset(msg, 0, len); |
61 | msg->seqno = *((u32 *)data); | 62 | msg->seqno = *((u32 *)data); |
@@ -81,7 +82,9 @@ static void selnl_notify(int msgtype, void *data) | |||
81 | goto oom; | 82 | goto oom; |
82 | 83 | ||
83 | tmp = skb->tail; | 84 | tmp = skb->tail; |
84 | nlh = NLMSG_PUT(skb, 0, 0, msgtype, len); | 85 | nlh = nlmsg_put(skb, 0, 0, msgtype, len, 0); |
86 | if (!nlh) | ||
87 | goto out_kfree_skb; | ||
85 | selnl_add_payload(nlh, len, msgtype, data); | 88 | selnl_add_payload(nlh, len, msgtype, data); |
86 | nlh->nlmsg_len = skb->tail - tmp; | 89 | nlh->nlmsg_len = skb->tail - tmp; |
87 | NETLINK_CB(skb).dst_group = SELNLGRP_AVC; | 90 | NETLINK_CB(skb).dst_group = SELNLGRP_AVC; |
@@ -89,7 +92,7 @@ static void selnl_notify(int msgtype, void *data) | |||
89 | out: | 92 | out: |
90 | return; | 93 | return; |
91 | 94 | ||
92 | nlmsg_failure: | 95 | out_kfree_skb: |
93 | kfree_skb(skb); | 96 | kfree_skb(skb); |
94 | oom: | 97 | oom: |
95 | printk(KERN_ERR "SELinux: OOM in %s\n", __func__); | 98 | printk(KERN_ERR "SELinux: OOM in %s\n", __func__); |
@@ -108,8 +111,12 @@ void selnl_notify_policyload(u32 seqno) | |||
108 | 111 | ||
109 | static int __init selnl_init(void) | 112 | static int __init selnl_init(void) |
110 | { | 113 | { |
114 | struct netlink_kernel_cfg cfg = { | ||
115 | .groups = SELNLGRP_MAX, | ||
116 | }; | ||
117 | |||
111 | selnl = netlink_kernel_create(&init_net, NETLINK_SELINUX, | 118 | selnl = netlink_kernel_create(&init_net, NETLINK_SELINUX, |
112 | SELNLGRP_MAX, NULL, NULL, THIS_MODULE); | 119 | THIS_MODULE, &cfg); |
113 | if (selnl == NULL) | 120 | if (selnl == NULL) |
114 | panic("SELinux: Cannot create netlink socket."); | 121 | panic("SELinux: Cannot create netlink socket."); |
115 | netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV); | 122 | netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV); |