diff options
author | Paul Moore <paul.moore@hp.com> | 2008-04-10 10:48:14 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-04-18 06:26:16 -0400 |
commit | 3e11217263d0521e212cb8a017fbc2a1514db78f (patch) | |
tree | d3b399c3d907cd90afd27003000fd9d99212f44b | |
parent | 832cbd9aa1293cba57d06571f5fc8f0917c672af (diff) |
SELinux: Add network port SID cache
Much like we added a network node cache, this patch adds a network port
cache. The design is taken almost completely from the network node cache
which in turn was taken from the network interface cache. The basic idea is
to cache entries in a hash table based on protocol/port information. The
hash function only takes the port number into account since the number of
different protocols in use at any one time is expected to be relatively
small.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/Makefile | 1 | ||||
-rw-r--r-- | security/selinux/hooks.c | 20 | ||||
-rw-r--r-- | security/selinux/include/objsec.h | 6 | ||||
-rw-r--r-- | security/selinux/include/security.h | 3 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 8 |
5 files changed, 17 insertions, 21 deletions
diff --git a/security/selinux/Makefile b/security/selinux/Makefile index 00afd85f1edb..d47fc5e545e0 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile | |||
@@ -11,6 +11,7 @@ selinux-y := avc.o \ | |||
11 | nlmsgtab.o \ | 11 | nlmsgtab.o \ |
12 | netif.o \ | 12 | netif.o \ |
13 | netnode.o \ | 13 | netnode.o \ |
14 | netport.o \ | ||
14 | exports.o | 15 | exports.o |
15 | 16 | ||
16 | selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o | 17 | selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 93c809a6e4fa..34f2d46c7984 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -80,6 +80,7 @@ | |||
80 | #include "objsec.h" | 80 | #include "objsec.h" |
81 | #include "netif.h" | 81 | #include "netif.h" |
82 | #include "netnode.h" | 82 | #include "netnode.h" |
83 | #include "netport.h" | ||
83 | #include "xfrm.h" | 84 | #include "xfrm.h" |
84 | #include "netlabel.h" | 85 | #include "netlabel.h" |
85 | 86 | ||
@@ -3670,10 +3671,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
3670 | inet_get_local_port_range(&low, &high); | 3671 | inet_get_local_port_range(&low, &high); |
3671 | 3672 | ||
3672 | if (snum < max(PROT_SOCK, low) || snum > high) { | 3673 | if (snum < max(PROT_SOCK, low) || snum > high) { |
3673 | err = security_port_sid(sk->sk_family, | 3674 | err = sel_netport_sid(sk->sk_protocol, |
3674 | sk->sk_type, | 3675 | snum, &sid); |
3675 | sk->sk_protocol, snum, | ||
3676 | &sid); | ||
3677 | if (err) | 3676 | if (err) |
3678 | goto out; | 3677 | goto out; |
3679 | AVC_AUDIT_DATA_INIT(&ad,NET); | 3678 | AVC_AUDIT_DATA_INIT(&ad,NET); |
@@ -3761,8 +3760,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, | |||
3761 | snum = ntohs(addr6->sin6_port); | 3760 | snum = ntohs(addr6->sin6_port); |
3762 | } | 3761 | } |
3763 | 3762 | ||
3764 | err = security_port_sid(sk->sk_family, sk->sk_type, | 3763 | err = sel_netport_sid(sk->sk_protocol, snum, &sid); |
3765 | sk->sk_protocol, snum, &sid); | ||
3766 | if (err) | 3764 | if (err) |
3767 | goto out; | 3765 | goto out; |
3768 | 3766 | ||
@@ -3993,9 +3991,8 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk, | |||
3993 | 3991 | ||
3994 | if (!recv_perm) | 3992 | if (!recv_perm) |
3995 | return 0; | 3993 | return 0; |
3996 | err = security_port_sid(sk->sk_family, sk->sk_type, | 3994 | err = sel_netport_sid(sk->sk_protocol, |
3997 | sk->sk_protocol, ntohs(ad->u.net.sport), | 3995 | ntohs(ad->u.net.sport), &port_sid); |
3998 | &port_sid); | ||
3999 | if (unlikely(err)) { | 3996 | if (unlikely(err)) { |
4000 | printk(KERN_WARNING | 3997 | printk(KERN_WARNING |
4001 | "SELinux: failure in" | 3998 | "SELinux: failure in" |
@@ -4416,9 +4413,8 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, | |||
4416 | if (send_perm != 0) | 4413 | if (send_perm != 0) |
4417 | return 0; | 4414 | return 0; |
4418 | 4415 | ||
4419 | err = security_port_sid(sk->sk_family, sk->sk_type, | 4416 | err = sel_netport_sid(sk->sk_protocol, |
4420 | sk->sk_protocol, ntohs(ad->u.net.dport), | 4417 | ntohs(ad->u.net.dport), &port_sid); |
4421 | &port_sid); | ||
4422 | if (unlikely(err)) { | 4418 | if (unlikely(err)) { |
4423 | printk(KERN_WARNING | 4419 | printk(KERN_WARNING |
4424 | "SELinux: failure in" | 4420 | "SELinux: failure in" |
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 957b10d0f76f..300b61bad7b3 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
@@ -103,6 +103,12 @@ struct netnode_security_struct { | |||
103 | u16 family; /* address family */ | 103 | u16 family; /* address family */ |
104 | }; | 104 | }; |
105 | 105 | ||
106 | struct netport_security_struct { | ||
107 | u32 sid; /* SID for this node */ | ||
108 | u16 port; /* port number */ | ||
109 | u8 protocol; /* transport protocol */ | ||
110 | }; | ||
111 | |||
106 | struct sk_security_struct { | 112 | struct sk_security_struct { |
107 | u32 sid; /* SID of this object */ | 113 | u32 sid; /* SID of this object */ |
108 | u32 peer_sid; /* SID of peer */ | 114 | u32 peer_sid; /* SID of peer */ |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index bc823ef70a12..1904c462a605 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -102,8 +102,7 @@ int security_context_to_sid_default(char *scontext, u32 scontext_len, | |||
102 | int security_get_user_sids(u32 callsid, char *username, | 102 | int security_get_user_sids(u32 callsid, char *username, |
103 | u32 **sids, u32 *nel); | 103 | u32 **sids, u32 *nel); |
104 | 104 | ||
105 | int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port, | 105 | int security_port_sid(u8 protocol, u16 port, u32 *out_sid); |
106 | u32 *out_sid); | ||
107 | 106 | ||
108 | int security_netif_sid(char *name, u32 *if_sid); | 107 | int security_netif_sid(char *name, u32 *if_sid); |
109 | 108 | ||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 098c96b6f9de..d75050819b06 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -1472,17 +1472,11 @@ err: | |||
1472 | 1472 | ||
1473 | /** | 1473 | /** |
1474 | * security_port_sid - Obtain the SID for a port. | 1474 | * security_port_sid - Obtain the SID for a port. |
1475 | * @domain: communication domain aka address family | ||
1476 | * @type: socket type | ||
1477 | * @protocol: protocol number | 1475 | * @protocol: protocol number |
1478 | * @port: port number | 1476 | * @port: port number |
1479 | * @out_sid: security identifier | 1477 | * @out_sid: security identifier |
1480 | */ | 1478 | */ |
1481 | int security_port_sid(u16 domain, | 1479 | int security_port_sid(u8 protocol, u16 port, u32 *out_sid) |
1482 | u16 type, | ||
1483 | u8 protocol, | ||
1484 | u16 port, | ||
1485 | u32 *out_sid) | ||
1486 | { | 1480 | { |
1487 | struct ocontext *c; | 1481 | struct ocontext *c; |
1488 | int rc = 0; | 1482 | int rc = 0; |