diff options
| author | Paul Moore <paul.moore@hp.com> | 2007-07-30 16:33:26 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2007-08-02 11:52:21 -0400 |
| commit | 9534f71ca33e5a9de26dfd43c76af86e005005dd (patch) | |
| tree | 344444735f541f79ed98cc38fa9040bc018ec66e | |
| parent | 1ed4395035a6791ebbbf618429a58ab9c207cc83 (diff) | |
SELinux: restore proper NetLabel caching behavior
A small fix to the SELinux/NetLabel glue code to ensure that the NetLabel
cache is utilized when possible. This was broken when the SELinux/NetLabel
glue code was reorganized in the last kernel release.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
| -rw-r--r-- | include/net/netlabel.h | 2 | ||||
| -rw-r--r-- | security/selinux/netlabel.c | 16 |
2 files changed, 14 insertions, 4 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index ffbc7f28335a..2e5b2f6f9fa0 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h | |||
| @@ -132,6 +132,8 @@ struct netlbl_lsm_secattr_catmap { | |||
| 132 | #define NETLBL_SECATTR_CACHE 0x00000002 | 132 | #define NETLBL_SECATTR_CACHE 0x00000002 |
| 133 | #define NETLBL_SECATTR_MLS_LVL 0x00000004 | 133 | #define NETLBL_SECATTR_MLS_LVL 0x00000004 |
| 134 | #define NETLBL_SECATTR_MLS_CAT 0x00000008 | 134 | #define NETLBL_SECATTR_MLS_CAT 0x00000008 |
| 135 | #define NETLBL_SECATTR_CACHEABLE (NETLBL_SECATTR_MLS_LVL | \ | ||
| 136 | NETLBL_SECATTR_MLS_CAT) | ||
| 135 | struct netlbl_lsm_secattr { | 137 | struct netlbl_lsm_secattr { |
| 136 | u32 flags; | 138 | u32 flags; |
| 137 | 139 | ||
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 051b14c88e2d..d243ddc723a5 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c | |||
| @@ -162,9 +162,13 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) | |||
| 162 | 162 | ||
| 163 | netlbl_secattr_init(&secattr); | 163 | netlbl_secattr_init(&secattr); |
| 164 | rc = netlbl_skbuff_getattr(skb, &secattr); | 164 | rc = netlbl_skbuff_getattr(skb, &secattr); |
| 165 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) | 165 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { |
| 166 | rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); | 166 | rc = security_netlbl_secattr_to_sid(&secattr, base_sid, sid); |
| 167 | else | 167 | if (rc == 0 && |
| 168 | (secattr.flags & NETLBL_SECATTR_CACHEABLE) && | ||
| 169 | (secattr.flags & NETLBL_SECATTR_CACHE)) | ||
| 170 | netlbl_cache_add(skb, &secattr); | ||
| 171 | } else | ||
| 168 | *sid = SECSID_NULL; | 172 | *sid = SECSID_NULL; |
| 169 | netlbl_secattr_destroy(&secattr); | 173 | netlbl_secattr_destroy(&secattr); |
| 170 | 174 | ||
| @@ -307,11 +311,15 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, | |||
| 307 | 311 | ||
| 308 | netlbl_secattr_init(&secattr); | 312 | netlbl_secattr_init(&secattr); |
| 309 | rc = netlbl_skbuff_getattr(skb, &secattr); | 313 | rc = netlbl_skbuff_getattr(skb, &secattr); |
| 310 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) | 314 | if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) { |
| 311 | rc = security_netlbl_secattr_to_sid(&secattr, | 315 | rc = security_netlbl_secattr_to_sid(&secattr, |
| 312 | SECINITSID_NETMSG, | 316 | SECINITSID_NETMSG, |
| 313 | &nlbl_sid); | 317 | &nlbl_sid); |
| 314 | else | 318 | if (rc == 0 && |
| 319 | (secattr.flags & NETLBL_SECATTR_CACHEABLE) && | ||
| 320 | (secattr.flags & NETLBL_SECATTR_CACHE)) | ||
| 321 | netlbl_cache_add(skb, &secattr); | ||
| 322 | } else | ||
| 315 | nlbl_sid = SECINITSID_UNLABELED; | 323 | nlbl_sid = SECINITSID_UNLABELED; |
| 316 | netlbl_secattr_destroy(&secattr); | 324 | netlbl_secattr_destroy(&secattr); |
| 317 | if (rc != 0) | 325 | if (rc != 0) |