diff options
| author | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-06-08 21:15:49 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-06-08 21:15:49 -0400 |
| commit | 81d84a94be8085475c3585596e52b06ccbedd922 (patch) | |
| tree | 3cfe28d60a3e7fdae5c0b4e5a52792f3cc79a4bc | |
| parent | 7ac7834765e1c888ab06f677d906179858627f26 (diff) | |
| parent | 50e5d35ce2c4190cead13a091ea1ceab47d29cc2 (diff) | |
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[CIPSO]: Fix several unaligned kernel accesses in the CIPSO engine.
[NetLabel]: consolidate the struct socket/sock handling to just struct sock
[IPV4]: Do not remove idev when addresses are cleared
| -rw-r--r-- | include/net/cipso_ipv4.h | 20 | ||||
| -rw-r--r-- | include/net/netlabel.h | 14 | ||||
| -rw-r--r-- | net/ipv4/cipso_ipv4.c | 64 | ||||
| -rw-r--r-- | net/ipv4/devinet.c | 6 | ||||
| -rw-r--r-- | net/netlabel/netlabel_kapi.c | 43 | ||||
| -rw-r--r-- | security/selinux/netlabel.c | 36 |
6 files changed, 61 insertions, 122 deletions
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h index 4f90f5554fac..a6bb94530cfd 100644 --- a/include/net/cipso_ipv4.h +++ b/include/net/cipso_ipv4.h | |||
| @@ -203,12 +203,10 @@ static inline int cipso_v4_cache_add(const struct sk_buff *skb, | |||
| 203 | 203 | ||
| 204 | #ifdef CONFIG_NETLABEL | 204 | #ifdef CONFIG_NETLABEL |
| 205 | void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway); | 205 | void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway); |
| 206 | int cipso_v4_socket_setattr(const struct socket *sock, | 206 | int cipso_v4_sock_setattr(struct sock *sk, |
| 207 | const struct cipso_v4_doi *doi_def, | 207 | const struct cipso_v4_doi *doi_def, |
| 208 | const struct netlbl_lsm_secattr *secattr); | 208 | const struct netlbl_lsm_secattr *secattr); |
| 209 | int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); | 209 | int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr); |
| 210 | int cipso_v4_socket_getattr(const struct socket *sock, | ||
| 211 | struct netlbl_lsm_secattr *secattr); | ||
| 212 | int cipso_v4_skbuff_getattr(const struct sk_buff *skb, | 210 | int cipso_v4_skbuff_getattr(const struct sk_buff *skb, |
| 213 | struct netlbl_lsm_secattr *secattr); | 211 | struct netlbl_lsm_secattr *secattr); |
| 214 | int cipso_v4_validate(unsigned char **option); | 212 | int cipso_v4_validate(unsigned char **option); |
| @@ -220,9 +218,9 @@ static inline void cipso_v4_error(struct sk_buff *skb, | |||
| 220 | return; | 218 | return; |
| 221 | } | 219 | } |
| 222 | 220 | ||
| 223 | static inline int cipso_v4_socket_setattr(const struct socket *sock, | 221 | static inline int cipso_v4_sock_setattr(struct sock *sk, |
| 224 | const struct cipso_v4_doi *doi_def, | 222 | const struct cipso_v4_doi *doi_def, |
| 225 | const struct netlbl_lsm_secattr *secattr) | 223 | const struct netlbl_lsm_secattr *secattr) |
| 226 | { | 224 | { |
| 227 | return -ENOSYS; | 225 | return -ENOSYS; |
| 228 | } | 226 | } |
| @@ -233,12 +231,6 @@ static inline int cipso_v4_sock_getattr(struct sock *sk, | |||
| 233 | return -ENOSYS; | 231 | return -ENOSYS; |
| 234 | } | 232 | } |
| 235 | 233 | ||
| 236 | static inline int cipso_v4_socket_getattr(const struct socket *sock, | ||
| 237 | struct netlbl_lsm_secattr *secattr) | ||
| 238 | { | ||
| 239 | return -ENOSYS; | ||
| 240 | } | ||
| 241 | |||
| 242 | static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, | 234 | static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, |
| 243 | struct netlbl_lsm_secattr *secattr) | 235 | struct netlbl_lsm_secattr *secattr) |
| 244 | { | 236 | { |
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 83da7e1f0d3d..9b7d6f2ac9a3 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
| @@ -332,17 +332,15 @@ static inline int netlbl_secattr_catmap_setrng( | |||
| 332 | */ | 332 | */ |
| 333 | 333 | ||
| 334 | #ifdef CONFIG_NETLABEL | 334 | #ifdef CONFIG_NETLABEL |
| 335 | int netlbl_socket_setattr(const struct socket *sock, | 335 | int netlbl_sock_setattr(struct sock *sk, |
| 336 | const struct netlbl_lsm_secattr *secattr); | 336 | const struct netlbl_lsm_secattr *secattr); |
| 337 | int netlbl_sock_getattr(struct sock *sk, | 337 | int netlbl_sock_getattr(struct sock *sk, |
| 338 | struct netlbl_lsm_secattr *secattr); | 338 | struct netlbl_lsm_secattr *secattr); |
| 339 | int netlbl_socket_getattr(const struct socket *sock, | ||
| 340 | struct netlbl_lsm_secattr *secattr); | ||
| 341 | int netlbl_skbuff_getattr(const struct sk_buff *skb, | 339 | int netlbl_skbuff_getattr(const struct sk_buff *skb, |
| 342 | struct netlbl_lsm_secattr *secattr); | 340 | struct netlbl_lsm_secattr *secattr); |
| 343 | void netlbl_skbuff_err(struct sk_buff *skb, int error); | 341 | void netlbl_skbuff_err(struct sk_buff *skb, int error); |
| 344 | #else | 342 | #else |
| 345 | static inline int netlbl_socket_setattr(const struct socket *sock, | 343 | static inline int netlbl_sock_setattr(struct sock *sk, |
| 346 | const struct netlbl_lsm_secattr *secattr) | 344 | const struct netlbl_lsm_secattr *secattr) |
| 347 | { | 345 | { |
| 348 | return -ENOSYS; | 346 | return -ENOSYS; |
| @@ -354,12 +352,6 @@ static inline int netlbl_sock_getattr(struct sock *sk, | |||
| 354 | return -ENOSYS; | 352 | return -ENOSYS; |
| 355 | } | 353 | } |
| 356 | 354 | ||
| 357 | static inline int netlbl_socket_getattr(const struct socket *sock, | ||
| 358 | struct netlbl_lsm_secattr *secattr) | ||
| 359 | { | ||
| 360 | return -ENOSYS; | ||
| 361 | } | ||
| 362 | |||
| 363 | static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, | 355 | static inline int netlbl_skbuff_getattr(const struct sk_buff *skb, |
| 364 | struct netlbl_lsm_secattr *secattr) | 356 | struct netlbl_lsm_secattr *secattr) |
| 365 | { | 357 | { |
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 86a2b52aad38..ab56a052ce31 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c | |||
| @@ -45,6 +45,7 @@ | |||
| 45 | #include <net/cipso_ipv4.h> | 45 | #include <net/cipso_ipv4.h> |
| 46 | #include <asm/atomic.h> | 46 | #include <asm/atomic.h> |
| 47 | #include <asm/bug.h> | 47 | #include <asm/bug.h> |
| 48 | #include <asm/unaligned.h> | ||
| 48 | 49 | ||
| 49 | struct cipso_v4_domhsh_entry { | 50 | struct cipso_v4_domhsh_entry { |
| 50 | char *domain; | 51 | char *domain; |
| @@ -1000,7 +1001,7 @@ static int cipso_v4_map_cat_enum_valid(const struct cipso_v4_doi *doi_def, | |||
| 1000 | return -EFAULT; | 1001 | return -EFAULT; |
| 1001 | 1002 | ||
| 1002 | for (iter = 0; iter < enumcat_len; iter += 2) { | 1003 | for (iter = 0; iter < enumcat_len; iter += 2) { |
| 1003 | cat = ntohs(*((__be16 *)&enumcat[iter])); | 1004 | cat = ntohs(get_unaligned((__be16 *)&enumcat[iter])); |
| 1004 | if (cat <= cat_prev) | 1005 | if (cat <= cat_prev) |
| 1005 | return -EFAULT; | 1006 | return -EFAULT; |
| 1006 | cat_prev = cat; | 1007 | cat_prev = cat; |
| @@ -1068,8 +1069,8 @@ static int cipso_v4_map_cat_enum_ntoh(const struct cipso_v4_doi *doi_def, | |||
| 1068 | 1069 | ||
| 1069 | for (iter = 0; iter < net_cat_len; iter += 2) { | 1070 | for (iter = 0; iter < net_cat_len; iter += 2) { |
| 1070 | ret_val = netlbl_secattr_catmap_setbit(secattr->mls_cat, | 1071 | ret_val = netlbl_secattr_catmap_setbit(secattr->mls_cat, |
| 1071 | ntohs(*((__be16 *)&net_cat[iter])), | 1072 | ntohs(get_unaligned((__be16 *)&net_cat[iter])), |
| 1072 | GFP_ATOMIC); | 1073 | GFP_ATOMIC); |
| 1073 | if (ret_val != 0) | 1074 | if (ret_val != 0) |
| 1074 | return ret_val; | 1075 | return ret_val; |
| 1075 | } | 1076 | } |
| @@ -1102,9 +1103,10 @@ static int cipso_v4_map_cat_rng_valid(const struct cipso_v4_doi *doi_def, | |||
| 1102 | return -EFAULT; | 1103 | return -EFAULT; |
| 1103 | 1104 | ||
| 1104 | for (iter = 0; iter < rngcat_len; iter += 4) { | 1105 | for (iter = 0; iter < rngcat_len; iter += 4) { |
| 1105 | cat_high = ntohs(*((__be16 *)&rngcat[iter])); | 1106 | cat_high = ntohs(get_unaligned((__be16 *)&rngcat[iter])); |
| 1106 | if ((iter + 4) <= rngcat_len) | 1107 | if ((iter + 4) <= rngcat_len) |
| 1107 | cat_low = ntohs(*((__be16 *)&rngcat[iter + 2])); | 1108 | cat_low = ntohs( |
| 1109 | get_unaligned((__be16 *)&rngcat[iter + 2])); | ||
| 1108 | else | 1110 | else |
| 1109 | cat_low = 0; | 1111 | cat_low = 0; |
| 1110 | 1112 | ||
| @@ -1201,9 +1203,10 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def, | |||
| 1201 | u16 cat_high; | 1203 | u16 cat_high; |
| 1202 | 1204 | ||
| 1203 | for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) { | 1205 | for (net_iter = 0; net_iter < net_cat_len; net_iter += 4) { |
| 1204 | cat_high = ntohs(*((__be16 *)&net_cat[net_iter])); | 1206 | cat_high = ntohs(get_unaligned((__be16 *)&net_cat[net_iter])); |
| 1205 | if ((net_iter + 4) <= net_cat_len) | 1207 | if ((net_iter + 4) <= net_cat_len) |
| 1206 | cat_low = ntohs(*((__be16 *)&net_cat[net_iter + 2])); | 1208 | cat_low = ntohs( |
| 1209 | get_unaligned((__be16 *)&net_cat[net_iter + 2])); | ||
| 1207 | else | 1210 | else |
| 1208 | cat_low = 0; | 1211 | cat_low = 0; |
| 1209 | 1212 | ||
| @@ -1565,7 +1568,7 @@ int cipso_v4_validate(unsigned char **option) | |||
| 1565 | } | 1568 | } |
| 1566 | 1569 | ||
| 1567 | rcu_read_lock(); | 1570 | rcu_read_lock(); |
| 1568 | doi_def = cipso_v4_doi_search(ntohl(*((__be32 *)&opt[2]))); | 1571 | doi_def = cipso_v4_doi_search(ntohl(get_unaligned((__be32 *)&opt[2]))); |
| 1569 | if (doi_def == NULL) { | 1572 | if (doi_def == NULL) { |
| 1570 | err_offset = 2; | 1573 | err_offset = 2; |
| 1571 | goto validate_return_locked; | 1574 | goto validate_return_locked; |
| @@ -1709,22 +1712,22 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway) | |||
| 1709 | } | 1712 | } |
| 1710 | 1713 | ||
| 1711 | /** | 1714 | /** |
| 1712 | * cipso_v4_socket_setattr - Add a CIPSO option to a socket | 1715 | * cipso_v4_sock_setattr - Add a CIPSO option to a socket |
| 1713 | * @sock: the socket | 1716 | * @sk: the socket |
| 1714 | * @doi_def: the CIPSO DOI to use | 1717 | * @doi_def: the CIPSO DOI to use |
| 1715 | * @secattr: the specific security attributes of the socket | 1718 | * @secattr: the specific security attributes of the socket |
| 1716 | * | 1719 | * |
| 1717 | * Description: | 1720 | * Description: |
| 1718 | * Set the CIPSO option on the given socket using the DOI definition and | 1721 | * Set the CIPSO option on the given socket using the DOI definition and |
| 1719 | * security attributes passed to the function. This function requires | 1722 | * security attributes passed to the function. This function requires |
| 1720 | * exclusive access to @sock->sk, which means it either needs to be in the | 1723 | * exclusive access to @sk, which means it either needs to be in the |
| 1721 | * process of being created or locked via lock_sock(sock->sk). Returns zero on | 1724 | * process of being created or locked. Returns zero on success and negative |
| 1722 | * success and negative values on failure. | 1725 | * values on failure. |
| 1723 | * | 1726 | * |
| 1724 | */ | 1727 | */ |
| 1725 | int cipso_v4_socket_setattr(const struct socket *sock, | 1728 | int cipso_v4_sock_setattr(struct sock *sk, |
| 1726 | const struct cipso_v4_doi *doi_def, | 1729 | const struct cipso_v4_doi *doi_def, |
| 1727 | const struct netlbl_lsm_secattr *secattr) | 1730 | const struct netlbl_lsm_secattr *secattr) |
| 1728 | { | 1731 | { |
| 1729 | int ret_val = -EPERM; | 1732 | int ret_val = -EPERM; |
| 1730 | u32 iter; | 1733 | u32 iter; |
| @@ -1732,7 +1735,6 @@ int cipso_v4_socket_setattr(const struct socket *sock, | |||
| 1732 | u32 buf_len = 0; | 1735 | u32 buf_len = 0; |
| 1733 | u32 opt_len; | 1736 | u32 opt_len; |
| 1734 | struct ip_options *opt = NULL; | 1737 | struct ip_options *opt = NULL; |
| 1735 | struct sock *sk; | ||
| 1736 | struct inet_sock *sk_inet; | 1738 | struct inet_sock *sk_inet; |
| 1737 | struct inet_connection_sock *sk_conn; | 1739 | struct inet_connection_sock *sk_conn; |
| 1738 | 1740 | ||
| @@ -1740,7 +1742,6 @@ int cipso_v4_socket_setattr(const struct socket *sock, | |||
| 1740 | * defined yet but it is not a problem as the only users of these | 1742 | * defined yet but it is not a problem as the only users of these |
| 1741 | * "lite" PF_INET sockets are functions which do an accept() call | 1743 | * "lite" PF_INET sockets are functions which do an accept() call |
| 1742 | * afterwards so we will label the socket as part of the accept(). */ | 1744 | * afterwards so we will label the socket as part of the accept(). */ |
| 1743 | sk = sock->sk; | ||
| 1744 | if (sk == NULL) | 1745 | if (sk == NULL) |
| 1745 | return 0; | 1746 | return 0; |
| 1746 | 1747 | ||
| @@ -1858,7 +1859,7 @@ int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) | |||
| 1858 | if (ret_val == 0) | 1859 | if (ret_val == 0) |
| 1859 | return ret_val; | 1860 | return ret_val; |
| 1860 | 1861 | ||
| 1861 | doi = ntohl(*(__be32 *)&cipso_ptr[2]); | 1862 | doi = ntohl(get_unaligned((__be32 *)&cipso_ptr[2])); |
| 1862 | rcu_read_lock(); | 1863 | rcu_read_lock(); |
| 1863 | doi_def = cipso_v4_doi_search(doi); | 1864 | doi_def = cipso_v4_doi_search(doi); |
| 1864 | if (doi_def == NULL) { | 1865 | if (doi_def == NULL) { |
| @@ -1892,29 +1893,6 @@ int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) | |||
| 1892 | } | 1893 | } |
| 1893 | 1894 | ||
| 1894 | /** | 1895 | /** |
| 1895 | * cipso_v4_socket_getattr - Get the security attributes from a socket | ||
| 1896 | * @sock: the socket | ||
| 1897 | * @secattr: the security attributes | ||
| 1898 | * | ||
| 1899 | * Description: | ||
| 1900 | * Query @sock to see if there is a CIPSO option attached to the socket and if | ||
| 1901 | * there is return the CIPSO security attributes in @secattr. Returns zero on | ||
| 1902 | * success and negative values on failure. | ||
| 1903 | * | ||
| 1904 | */ | ||
| 1905 | int cipso_v4_socket_getattr(const struct socket *sock, | ||
| 1906 | struct netlbl_lsm_secattr *secattr) | ||
| 1907 | { | ||
| 1908 | int ret_val; | ||
| 1909 | |||
| 1910 | lock_sock(sock->sk); | ||
| 1911 | ret_val = cipso_v4_sock_getattr(sock->sk, secattr); | ||
| 1912 | release_sock(sock->sk); | ||
| 1913 | |||
| 1914 | return ret_val; | ||
| 1915 | } | ||
| 1916 | |||
| 1917 | /** | ||
| 1918 | * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option | 1896 | * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option |
| 1919 | * @skb: the packet | 1897 | * @skb: the packet |
| 1920 | * @secattr: the security attributes | 1898 | * @secattr: the security attributes |
| @@ -1936,7 +1914,7 @@ int cipso_v4_skbuff_getattr(const struct sk_buff *skb, | |||
| 1936 | if (cipso_v4_cache_check(cipso_ptr, cipso_ptr[1], secattr) == 0) | 1914 | if (cipso_v4_cache_check(cipso_ptr, cipso_ptr[1], secattr) == 0) |
| 1937 | return 0; | 1915 | return 0; |
| 1938 | 1916 | ||
| 1939 | doi = ntohl(*(__be32 *)&cipso_ptr[2]); | 1917 | doi = ntohl(get_unaligned((__be32 *)&cipso_ptr[2])); |
| 1940 | rcu_read_lock(); | 1918 | rcu_read_lock(); |
| 1941 | doi_def = cipso_v4_doi_search(doi); | 1919 | doi_def = cipso_v4_doi_search(doi); |
| 1942 | if (doi_def == NULL) | 1920 | if (doi_def == NULL) |
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index fa97b96a3d89..abf6352f990f 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c | |||
| @@ -327,12 +327,8 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, | |||
| 327 | } | 327 | } |
| 328 | 328 | ||
| 329 | } | 329 | } |
| 330 | if (destroy) { | 330 | if (destroy) |
| 331 | inet_free_ifa(ifa1); | 331 | inet_free_ifa(ifa1); |
| 332 | |||
| 333 | if (!in_dev->ifa_list) | ||
| 334 | inetdev_destroy(in_dev); | ||
| 335 | } | ||
| 336 | } | 332 | } |
| 337 | 333 | ||
| 338 | static void inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, | 334 | static void inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap, |
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index f2535e7f2869..b165712aaa70 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c | |||
| @@ -246,19 +246,18 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap, | |||
| 246 | 246 | ||
| 247 | /** | 247 | /** |
| 248 | * netlbl_socket_setattr - Label a socket using the correct protocol | 248 | * netlbl_socket_setattr - Label a socket using the correct protocol |
| 249 | * @sock: the socket to label | 249 | * @sk: the socket to label |
| 250 | * @secattr: the security attributes | 250 | * @secattr: the security attributes |
| 251 | * | 251 | * |
| 252 | * Description: | 252 | * Description: |
| 253 | * Attach the correct label to the given socket using the security attributes | 253 | * Attach the correct label to the given socket using the security attributes |
| 254 | * specified in @secattr. This function requires exclusive access to | 254 | * specified in @secattr. This function requires exclusive access to @sk, |
| 255 | * @sock->sk, which means it either needs to be in the process of being | 255 | * which means it either needs to be in the process of being created or locked. |
| 256 | * created or locked via lock_sock(sock->sk). Returns zero on success, | 256 | * Returns zero on success, negative values on failure. |
| 257 | * negative values on failure. | ||
| 258 | * | 257 | * |
| 259 | */ | 258 | */ |
| 260 | int netlbl_socket_setattr(const struct socket *sock, | 259 | int netlbl_sock_setattr(struct sock *sk, |
| 261 | const struct netlbl_lsm_secattr *secattr) | 260 | const struct netlbl_lsm_secattr *secattr) |
| 262 | { | 261 | { |
| 263 | int ret_val = -ENOENT; | 262 | int ret_val = -ENOENT; |
| 264 | struct netlbl_dom_map *dom_entry; | 263 | struct netlbl_dom_map *dom_entry; |
| @@ -269,9 +268,9 @@ int netlbl_socket_setattr(const struct socket *sock, | |||
| 269 | goto socket_setattr_return; | 268 | goto socket_setattr_return; |
| 270 | switch (dom_entry->type) { | 269 | switch (dom_entry->type) { |
| 271 | case NETLBL_NLTYPE_CIPSOV4: | 270 | case NETLBL_NLTYPE_CIPSOV4: |
| 272 | ret_val = cipso_v4_socket_setattr(sock, | 271 | ret_val = cipso_v4_sock_setattr(sk, |
| 273 | dom_entry->type_def.cipsov4, | 272 | dom_entry->type_def.cipsov4, |
| 274 | secattr); | 273 | secattr); |
| 275 | break; | 274 | break; |
| 276 | case NETLBL_NLTYPE_UNLABELED: | 275 | case NETLBL_NLTYPE_UNLABELED: |
| 277 | ret_val = 0; | 276 | ret_val = 0; |
| @@ -309,30 +308,6 @@ int netlbl_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr) | |||
| 309 | } | 308 | } |
| 310 | 309 | ||
| 311 | /** | 310 | /** |
| 312 | * netlbl_socket_getattr - Determine the security attributes of a socket | ||
| 313 | * @sock: the socket | ||
| 314 | * @secattr: the security attributes | ||
| 315 | * | ||
| 316 | * Description: | ||
| 317 | * Examines the given socket to see any NetLabel style labeling has been | ||
| 318 | * applied to the socket, if so it parses the socket label and returns the | ||
| 319 | * security attributes in @secattr. Returns zero on success, negative values | ||
| 320 | * on failure. | ||
| 321 | * | ||
| 322 | */ | ||
| 323 | int netlbl_socket_getattr(const struct socket *sock, | ||
| 324 | struct netlbl_lsm_secattr *secattr) | ||
| 325 | { | ||
| 326 | int ret_val; | ||
| 327 | |||
| 328 | ret_val = cipso_v4_socket_getattr(sock, secattr); | ||
| 329 | if (ret_val == 0) | ||
| 330 | return 0; | ||
| 331 | |||
| 332 | return netlbl_unlabel_getattr(secattr); | ||
| 333 | } | ||
| 334 | |||
| 335 | /** | ||
| 336 | * netlbl_skbuff_getattr - Determine the security attributes of a packet | 311 | * netlbl_skbuff_getattr - Determine the security attributes of a packet |
| 337 | * @skb: the packet | 312 | * @skb: the packet |
| 338 | * @secattr: the security attributes | 313 | * @secattr: the security attributes |
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index bf8750791dd1..e64eca246f1a 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c | |||
| @@ -36,8 +36,8 @@ | |||
| 36 | #include "security.h" | 36 | #include "security.h" |
| 37 | 37 | ||
| 38 | /** | 38 | /** |
| 39 | * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism | 39 | * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism |
| 40 | * @sock: the socket to label | 40 | * @sk: the socket to label |
| 41 | * @sid: the SID to use | 41 | * @sid: the SID to use |
| 42 | * | 42 | * |
| 43 | * Description: | 43 | * Description: |
| @@ -47,17 +47,17 @@ | |||
| 47 | * this function and rcu_read_unlock() after this function returns. | 47 | * this function and rcu_read_unlock() after this function returns. |
| 48 | * | 48 | * |
| 49 | */ | 49 | */ |
| 50 | static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) | 50 | static int selinux_netlbl_sock_setsid(struct sock *sk, u32 sid) |
| 51 | { | 51 | { |
| 52 | int rc; | 52 | int rc; |
| 53 | struct sk_security_struct *sksec = sock->sk->sk_security; | 53 | struct sk_security_struct *sksec = sk->sk_security; |
| 54 | struct netlbl_lsm_secattr secattr; | 54 | struct netlbl_lsm_secattr secattr; |
| 55 | 55 | ||
| 56 | rc = security_netlbl_sid_to_secattr(sid, &secattr); | 56 | rc = security_netlbl_sid_to_secattr(sid, &secattr); |
| 57 | if (rc != 0) | 57 | if (rc != 0) |
| 58 | return rc; | 58 | return rc; |
| 59 | 59 | ||
| 60 | rc = netlbl_socket_setattr(sock, &secattr); | 60 | rc = netlbl_sock_setattr(sk, &secattr); |
| 61 | if (rc == 0) { | 61 | if (rc == 0) { |
| 62 | spin_lock_bh(&sksec->nlbl_lock); | 62 | spin_lock_bh(&sksec->nlbl_lock); |
| 63 | sksec->nlbl_state = NLBL_LABELED; | 63 | sksec->nlbl_state = NLBL_LABELED; |
| @@ -206,7 +206,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |||
| 206 | /* Try to set the NetLabel on the socket to save time later, if we fail | 206 | /* Try to set the NetLabel on the socket to save time later, if we fail |
| 207 | * here we will pick up the pieces in later calls to | 207 | * here we will pick up the pieces in later calls to |
| 208 | * selinux_netlbl_inode_permission(). */ | 208 | * selinux_netlbl_inode_permission(). */ |
| 209 | selinux_netlbl_socket_setsid(sock, sksec->sid); | 209 | selinux_netlbl_sock_setsid(sk, sksec->sid); |
| 210 | 210 | ||
| 211 | rcu_read_unlock(); | 211 | rcu_read_unlock(); |
| 212 | } | 212 | } |
| @@ -223,14 +223,15 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) | |||
| 223 | int selinux_netlbl_socket_post_create(struct socket *sock) | 223 | int selinux_netlbl_socket_post_create(struct socket *sock) |
| 224 | { | 224 | { |
| 225 | int rc = 0; | 225 | int rc = 0; |
| 226 | struct sock *sk = sock->sk; | ||
| 226 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; | 227 | struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; |
| 227 | struct sk_security_struct *sksec = sock->sk->sk_security; | 228 | struct sk_security_struct *sksec = sk->sk_security; |
| 228 | 229 | ||
| 229 | sksec->sclass = isec->sclass; | 230 | sksec->sclass = isec->sclass; |
| 230 | 231 | ||
| 231 | rcu_read_lock(); | 232 | rcu_read_lock(); |
| 232 | if (sksec->nlbl_state == NLBL_REQUIRE) | 233 | if (sksec->nlbl_state == NLBL_REQUIRE) |
| 233 | rc = selinux_netlbl_socket_setsid(sock, sksec->sid); | 234 | rc = selinux_netlbl_sock_setsid(sk, sksec->sid); |
| 234 | rcu_read_unlock(); | 235 | rcu_read_unlock(); |
| 235 | 236 | ||
| 236 | return rc; | 237 | return rc; |
| @@ -251,14 +252,16 @@ int selinux_netlbl_socket_post_create(struct socket *sock) | |||
| 251 | int selinux_netlbl_inode_permission(struct inode *inode, int mask) | 252 | int selinux_netlbl_inode_permission(struct inode *inode, int mask) |
| 252 | { | 253 | { |
| 253 | int rc; | 254 | int rc; |
| 254 | struct sk_security_struct *sksec; | 255 | struct sock *sk; |
| 255 | struct socket *sock; | 256 | struct socket *sock; |
| 257 | struct sk_security_struct *sksec; | ||
| 256 | 258 | ||
| 257 | if (!S_ISSOCK(inode->i_mode) || | 259 | if (!S_ISSOCK(inode->i_mode) || |
| 258 | ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) | 260 | ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) |
| 259 | return 0; | 261 | return 0; |
| 260 | sock = SOCKET_I(inode); | 262 | sock = SOCKET_I(inode); |
| 261 | sksec = sock->sk->sk_security; | 263 | sk = sock->sk; |
| 264 | sksec = sk->sk_security; | ||
| 262 | 265 | ||
| 263 | rcu_read_lock(); | 266 | rcu_read_lock(); |
| 264 | if (sksec->nlbl_state != NLBL_REQUIRE) { | 267 | if (sksec->nlbl_state != NLBL_REQUIRE) { |
| @@ -266,9 +269,9 @@ int selinux_netlbl_inode_permission(struct inode *inode, int mask) | |||
| 266 | return 0; | 269 | return 0; |
| 267 | } | 270 | } |
| 268 | local_bh_disable(); | 271 | local_bh_disable(); |
| 269 | bh_lock_sock_nested(sock->sk); | 272 | bh_lock_sock_nested(sk); |
| 270 | rc = selinux_netlbl_socket_setsid(sock, sksec->sid); | 273 | rc = selinux_netlbl_sock_setsid(sk, sksec->sid); |
| 271 | bh_unlock_sock(sock->sk); | 274 | bh_unlock_sock(sk); |
| 272 | local_bh_enable(); | 275 | local_bh_enable(); |
| 273 | rcu_read_unlock(); | 276 | rcu_read_unlock(); |
| 274 | 277 | ||
| @@ -345,14 +348,17 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, | |||
| 345 | int optname) | 348 | int optname) |
| 346 | { | 349 | { |
| 347 | int rc = 0; | 350 | int rc = 0; |
| 348 | struct sk_security_struct *sksec = sock->sk->sk_security; | 351 | struct sock *sk = sock->sk; |
| 352 | struct sk_security_struct *sksec = sk->sk_security; | ||
| 349 | struct netlbl_lsm_secattr secattr; | 353 | struct netlbl_lsm_secattr secattr; |
| 350 | 354 | ||
| 351 | rcu_read_lock(); | 355 | rcu_read_lock(); |
| 352 | if (level == IPPROTO_IP && optname == IP_OPTIONS && | 356 | if (level == IPPROTO_IP && optname == IP_OPTIONS && |
| 353 | sksec->nlbl_state == NLBL_LABELED) { | 357 | sksec->nlbl_state == NLBL_LABELED) { |
| 354 | netlbl_secattr_init(&secattr); | 358 | netlbl_secattr_init(&secattr); |
| 355 | rc = netlbl_socket_getattr(sock, &secattr); | 359 | lock_sock(sk); |
| 360 | rc = netlbl_sock_getattr(sk, &secattr); | ||
| 361 | release_sock(sk); | ||
| 356 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) | 362 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) |
| 357 | rc = -EACCES; | 363 | rc = -EACCES; |
| 358 | netlbl_secattr_destroy(&secattr); | 364 | netlbl_secattr_destroy(&secattr); |