aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-04-10 10:48:14 -0400
committerJames Morris <jmorris@namei.org>2008-04-18 06:26:16 -0400
commit3e11217263d0521e212cb8a017fbc2a1514db78f (patch)
treed3b399c3d907cd90afd27003000fd9d99212f44b
parent832cbd9aa1293cba57d06571f5fc8f0917c672af (diff)
SELinux: Add network port SID cache
Much like we added a network node cache, this patch adds a network port cache. The design is taken almost completely from the network node cache which in turn was taken from the network interface cache. The basic idea is to cache entries in a hash table based on protocol/port information. The hash function only takes the port number into account since the number of different protocols in use at any one time is expected to be relatively small. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/Makefile1
-rw-r--r--security/selinux/hooks.c20
-rw-r--r--security/selinux/include/objsec.h6
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/ss/services.c8
5 files changed, 17 insertions, 21 deletions
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 00afd85f1edb..d47fc5e545e0 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -11,6 +11,7 @@ selinux-y := avc.o \
11 nlmsgtab.o \ 11 nlmsgtab.o \
12 netif.o \ 12 netif.o \
13 netnode.o \ 13 netnode.o \
14 netport.o \
14 exports.o 15 exports.o
15 16
16selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o 17selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 93c809a6e4fa..34f2d46c7984 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -80,6 +80,7 @@
80#include "objsec.h" 80#include "objsec.h"
81#include "netif.h" 81#include "netif.h"
82#include "netnode.h" 82#include "netnode.h"
83#include "netport.h"
83#include "xfrm.h" 84#include "xfrm.h"
84#include "netlabel.h" 85#include "netlabel.h"
85 86
@@ -3670,10 +3671,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3670 inet_get_local_port_range(&low, &high); 3671 inet_get_local_port_range(&low, &high);
3671 3672
3672 if (snum < max(PROT_SOCK, low) || snum > high) { 3673 if (snum < max(PROT_SOCK, low) || snum > high) {
3673 err = security_port_sid(sk->sk_family, 3674 err = sel_netport_sid(sk->sk_protocol,
3674 sk->sk_type, 3675 snum, &sid);
3675 sk->sk_protocol, snum,
3676 &sid);
3677 if (err) 3676 if (err)
3678 goto out; 3677 goto out;
3679 AVC_AUDIT_DATA_INIT(&ad,NET); 3678 AVC_AUDIT_DATA_INIT(&ad,NET);
@@ -3761,8 +3760,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3761 snum = ntohs(addr6->sin6_port); 3760 snum = ntohs(addr6->sin6_port);
3762 } 3761 }
3763 3762
3764 err = security_port_sid(sk->sk_family, sk->sk_type, 3763 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3765 sk->sk_protocol, snum, &sid);
3766 if (err) 3764 if (err)
3767 goto out; 3765 goto out;
3768 3766
@@ -3993,9 +3991,8 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3993 3991
3994 if (!recv_perm) 3992 if (!recv_perm)
3995 return 0; 3993 return 0;
3996 err = security_port_sid(sk->sk_family, sk->sk_type, 3994 err = sel_netport_sid(sk->sk_protocol,
3997 sk->sk_protocol, ntohs(ad->u.net.sport), 3995 ntohs(ad->u.net.sport), &port_sid);
3998 &port_sid);
3999 if (unlikely(err)) { 3996 if (unlikely(err)) {
4000 printk(KERN_WARNING 3997 printk(KERN_WARNING
4001 "SELinux: failure in" 3998 "SELinux: failure in"
@@ -4416,9 +4413,8 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4416 if (send_perm != 0) 4413 if (send_perm != 0)
4417 return 0; 4414 return 0;
4418 4415
4419 err = security_port_sid(sk->sk_family, sk->sk_type, 4416 err = sel_netport_sid(sk->sk_protocol,
4420 sk->sk_protocol, ntohs(ad->u.net.dport), 4417 ntohs(ad->u.net.dport), &port_sid);
4421 &port_sid);
4422 if (unlikely(err)) { 4418 if (unlikely(err)) {
4423 printk(KERN_WARNING 4419 printk(KERN_WARNING
4424 "SELinux: failure in" 4420 "SELinux: failure in"
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 957b10d0f76f..300b61bad7b3 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -103,6 +103,12 @@ struct netnode_security_struct {
103 u16 family; /* address family */ 103 u16 family; /* address family */
104}; 104};
105 105
106struct netport_security_struct {
107 u32 sid; /* SID for this node */
108 u16 port; /* port number */
109 u8 protocol; /* transport protocol */
110};
111
106struct sk_security_struct { 112struct sk_security_struct {
107 u32 sid; /* SID of this object */ 113 u32 sid; /* SID of this object */
108 u32 peer_sid; /* SID of peer */ 114 u32 peer_sid; /* SID of peer */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index bc823ef70a12..1904c462a605 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -102,8 +102,7 @@ int security_context_to_sid_default(char *scontext, u32 scontext_len,
102int security_get_user_sids(u32 callsid, char *username, 102int security_get_user_sids(u32 callsid, char *username,
103 u32 **sids, u32 *nel); 103 u32 **sids, u32 *nel);
104 104
105int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port, 105int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
106 u32 *out_sid);
107 106
108int security_netif_sid(char *name, u32 *if_sid); 107int security_netif_sid(char *name, u32 *if_sid);
109 108
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 098c96b6f9de..d75050819b06 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1472,17 +1472,11 @@ err:
1472 1472
1473/** 1473/**
1474 * security_port_sid - Obtain the SID for a port. 1474 * security_port_sid - Obtain the SID for a port.
1475 * @domain: communication domain aka address family
1476 * @type: socket type
1477 * @protocol: protocol number 1475 * @protocol: protocol number
1478 * @port: port number 1476 * @port: port number
1479 * @out_sid: security identifier 1477 * @out_sid: security identifier
1480 */ 1478 */
1481int security_port_sid(u16 domain, 1479int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
1482 u16 type,
1483 u8 protocol,
1484 u16 port,
1485 u32 *out_sid)
1486{ 1480{
1487 struct ocontext *c; 1481 struct ocontext *c;
1488 int rc = 0; 1482 int rc = 0;