NetLabel: make netlbl_lsm_secattr struct easier/quicker to understand

The existing netlbl_lsm_secattr struct required the LSM to check all of the fields to determine if any security attributes were present resulting in a lot of work in the common case of no attributes. This patch adds a 'flags' field which is used to indicate which attributes are present in the structure; this should allow the LSM to do a quick comparison to determine if the structure holds any security attributes. Example: if (netlbl_lsm_secattr->flags) /* security attributes present */ else /* NO security attributes present */ Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2006-11-17 17:38:46 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-03 00:24:07 -0500
commit: 701a90bad99b8081a824cca52c178c8fc8f46bb2 (patch)
tree: 5fed88e6707e9122d7f16e4c5d8fea7c69e090ac
parent: c6fa82a9dd6160e0bc980cb0401c16bf62f2fe66 (diff)
4 files changed, 45 insertions, 19 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 4e223aa25e5b..d605d7954013 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -111,11 +111,17 @@ struct netlbl_lsm_cache {
        void (*free) (const void *data);
        void *data;
 };
+#define NETLBL_SECATTR_NONE             0x00000000
+#define NETLBL_SECATTR_DOMAIN           0x00000001
+#define NETLBL_SECATTR_CACHE            0x00000002
+#define NETLBL_SECATTR_MLS_LVL          0x00000004
+#define NETLBL_SECATTR_MLS_CAT          0x00000008
 struct netlbl_lsm_secattr {
+        u32 flags;
        char *domain;
        u32 mls_lvl;
-        u32 mls_lvl_vld;
        unsigned char *mls_cat;
        size_t mls_cat_len;
@@ -174,7 +180,10 @@ static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
 */
 static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
 {
-        memset(secattr, 0, sizeof(*secattr));
+        secattr->flags = 0;
+        secattr->domain = NULL;
+        secattr->mls_cat = NULL;
+        secattr->cache = NULL;
 }
 /**
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 095038ad72a4..f0a0785047fe 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -319,6 +319,7 @@ static int cipso_v4_cache_check(const unsigned char *key,
                        entry->activity += 1;
                        atomic_inc(&entry->lsm_data->refcount);
                        secattr->cache = entry->lsm_data;
+                        secattr->flags |= NETLBL_SECATTR_CACHE;
                        if (prev_entry == NULL) {
                                spin_unlock_bh(&cipso_v4_cache[bkt].lock);
                                return 0;
@@ -991,12 +992,15 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
                               unsigned char **buffer,
                               u32 *buffer_len)
 {
-        int ret_val = -EPERM;
+        int ret_val;
        unsigned char *buf = NULL;
        u32 buf_len;
        u32 level;
-        if (secattr->mls_cat) {
+        if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
+                return -EPERM;
+        if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
                buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN,
                              GFP_ATOMIC);
                if (buf == NULL)
@@ -1013,10 +1017,10 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
                /* This will send packets using the "optimized" format when
                 * possibile as specified in  section 3.4.2.6 of the
                 * CIPSO draft. */
-                if (cipso_v4_rbm_optfmt && (ret_val > 0 && ret_val < 10))
+                if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)
-                        ret_val = 10;
+                        buf_len = 14;
+                else
-                buf_len = 4 + ret_val;
+                        buf_len = 4 + ret_val;
        } else {
                buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC);
                if (buf == NULL)
@@ -1070,7 +1074,7 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
        if (ret_val != 0)
                return ret_val;
        secattr->mls_lvl = level;
-        secattr->mls_lvl_vld = 1;
+        secattr->flags |= NETLBL_SECATTR_MLS_LVL;
        if (tag_len > 4) {
                switch (doi_def->type) {
@@ -1094,8 +1098,10 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
                if (ret_val < 0) {
                        kfree(secattr->mls_cat);
                        return ret_val;
+                } else if (ret_val > 0) {
+                        secattr->mls_cat_len = ret_val;
+                        secattr->flags |= NETLBL_SECATTR_MLS_CAT;
                }
-                secattr->mls_cat_len = ret_val;
        }
        return 0;
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index ff971103fd0c..da2f1975a042 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -62,6 +62,9 @@ int netlbl_socket_setattr(const struct socket *sock,
        int ret_val = -ENOENT;
        struct netlbl_dom_map *dom_entry;
+        if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0)
+                return -ENOENT;
        rcu_read_lock();
        dom_entry = netlbl_domhsh_getentry(secattr->domain);
        if (dom_entry == NULL)
@@ -200,7 +203,7 @@ void netlbl_cache_invalidate(void)
 int netlbl_cache_add(const struct sk_buff *skb,
                     const struct netlbl_lsm_secattr *secattr)
 {
-        if (secattr->cache == NULL)
+        if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0)
                return -ENOMSG;
        if (CIPSO_V4_OPTEXIST(skb))
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 408820486af0..1f5bbb246d28 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2254,8 +2254,6 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
        cache = kzalloc(sizeof(*cache), GFP_ATOMIC);
        if (cache == NULL)
                goto netlbl_cache_add_return;
-        secattr.cache->free = selinux_netlbl_cache_free;
-        secattr.cache->data = (void *)cache;
        cache->type = NETLBL_CACHE_T_MLS;
        if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
@@ -2268,6 +2266,10 @@ static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
        cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
        cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
+        secattr.cache->free = selinux_netlbl_cache_free;
+        secattr.cache->data = (void *)cache;
+        secattr.flags = NETLBL_SECATTR_CACHE;
        netlbl_cache_add(skb, &secattr);
 netlbl_cache_add_return:
@@ -2313,7 +2315,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
        POLICY_RDLOCK;
-        if (secattr->cache) {
+        if (secattr->flags & NETLBL_SECATTR_CACHE) {
                cache = NETLBL_CACHE(secattr->cache->data);
                switch (cache->type) {
                case NETLBL_CACHE_T_SID:
@@ -2346,7 +2348,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
                default:
                        goto netlbl_secattr_to_sid_return;
                }
-        } else if (secattr->mls_lvl_vld) {
+        } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
                ctx = sidtab_search(&sidtab, base_sid);
                if (ctx == NULL)
                        goto netlbl_secattr_to_sid_return;
@@ -2355,7 +2357,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
                ctx_new.role = ctx->role;
                ctx_new.type = ctx->type;
                mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl);
-                if (secattr->mls_cat) {
+                if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
                        if (mls_import_cat(&ctx_new,
                                           secattr->mls_cat,
                                           secattr->mls_cat_len,
@@ -2414,11 +2416,13 @@ static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
        netlbl_secattr_init(&secattr);
        rc = netlbl_skbuff_getattr(skb, &secattr);
-        if (rc == 0)
+        if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
                rc = selinux_netlbl_secattr_to_sid(skb,
                                                   &secattr,
                                                   base_sid,
                                                   sid);
+        else
+                *sid = SECSID_NULL;
        netlbl_secattr_destroy(&secattr);
        return rc;
@@ -2455,7 +2459,6 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
        secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
                                 GFP_ATOMIC);
        mls_export_lvl(ctx, &secattr.mls_lvl, NULL);
-        secattr.mls_lvl_vld = 1;
        rc = mls_export_cat(ctx,
                            &secattr.mls_cat,
                            &secattr.mls_cat_len,
@@ -2464,6 +2467,10 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
        if (rc != 0)
                goto netlbl_socket_setsid_return;
+        secattr.flags |= NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
+        if (secattr.mls_cat)
+                secattr.flags |= NETLBL_SECATTR_MLS_CAT;
        rc = netlbl_socket_setattr(sock, &secattr);
        if (rc == 0)
                sksec->nlbl_state = NLBL_LABELED;
@@ -2564,6 +2571,7 @@ void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
        netlbl_secattr_init(&secattr);
        if (netlbl_sock_getattr(sk, &secattr) == 0 &&
+            secattr.flags != NETLBL_SECATTR_NONE &&
            selinux_netlbl_secattr_to_sid(NULL,
                                          &secattr,
                                          SECINITSID_UNLABELED,
@@ -2756,7 +2764,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
            sksec->nlbl_state == NLBL_LABELED) {
                netlbl_secattr_init(&secattr);
                rc = netlbl_socket_getattr(sock, &secattr);
-                if (rc == 0 && (secattr.cache || secattr.mls_lvl_vld))
+                if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
                        rc = -EACCES;
                netlbl_secattr_destroy(&secattr);
        }
author	Paul Moore <paul.moore@hp.com>	2006-11-17 17:38:46 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-03 00:24:07 -0500
commit	701a90bad99b8081a824cca52c178c8fc8f46bb2 (patch)
tree	5fed88e6707e9122d7f16e4c5d8fea7c69e090ac
parent	c6fa82a9dd6160e0bc980cb0401c16bf62f2fe66 (diff)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 4e223aa25e5b..d605d7954013 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h
@@ -111,11 +111,17 @@ struct netlbl_lsm_cache {
111	void (free) (const void data);	111	void (free) (const void data);
112	void *data;	112	void *data;
113	};	113	};
		114	#define NETLBL_SECATTR_NONE 0x00000000
		115	#define NETLBL_SECATTR_DOMAIN 0x00000001
		116	#define NETLBL_SECATTR_CACHE 0x00000002
		117	#define NETLBL_SECATTR_MLS_LVL 0x00000004
		118	#define NETLBL_SECATTR_MLS_CAT 0x00000008
114	struct netlbl_lsm_secattr {	119	struct netlbl_lsm_secattr {
		120	u32 flags;
		121
115	char *domain;	122	char *domain;
116		123
117	u32 mls_lvl;	124	u32 mls_lvl;
118	u32 mls_lvl_vld;
119	unsigned char *mls_cat;	125	unsigned char *mls_cat;
120	size_t mls_cat_len;	126	size_t mls_cat_len;
121		127
@@ -174,7 +180,10 @@ static inline void netlbl_secattr_cache_free(struct netlbl_lsm_cache *cache)
174	*/	180	*/
175	static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)	181	static inline void netlbl_secattr_init(struct netlbl_lsm_secattr *secattr)
176	{	182	{
177	memset(secattr, 0, sizeof(*secattr));	183	secattr->flags = 0;
		184	secattr->domain = NULL;
		185	secattr->mls_cat = NULL;
		186	secattr->cache = NULL;
178	}	187	}
179		188
180	/**	189	/**


diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 095038ad72a4..f0a0785047fe 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c
@@ -319,6 +319,7 @@ static int cipso_v4_cache_check(const unsigned char *key,
319	entry->activity += 1;	319	entry->activity += 1;
320	atomic_inc(&entry->lsm_data->refcount);	320	atomic_inc(&entry->lsm_data->refcount);
321	secattr->cache = entry->lsm_data;	321	secattr->cache = entry->lsm_data;
		322	secattr->flags \|= NETLBL_SECATTR_CACHE;
322	if (prev_entry == NULL) {	323	if (prev_entry == NULL) {
323	spin_unlock_bh(&cipso_v4_cache[bkt].lock);	324	spin_unlock_bh(&cipso_v4_cache[bkt].lock);
324	return 0;	325	return 0;
@@ -991,12 +992,15 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
991	unsigned char **buffer,	992	unsigned char **buffer,
992	u32 *buffer_len)	993	u32 *buffer_len)
993	{	994	{
994	int ret_val = -EPERM;	995	int ret_val;
995	unsigned char *buf = NULL;	996	unsigned char *buf = NULL;
996	u32 buf_len;	997	u32 buf_len;
997	u32 level;	998	u32 level;
998		999
999	if (secattr->mls_cat) {	1000	if ((secattr->flags & NETLBL_SECATTR_MLS_LVL) == 0)
		1001	return -EPERM;
		1002
		1003	if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
1000	buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN,	1004	buf = kzalloc(CIPSO_V4_HDR_LEN + 4 + CIPSO_V4_TAG1_CAT_LEN,
1001	GFP_ATOMIC);	1005	GFP_ATOMIC);
1002	if (buf == NULL)	1006	if (buf == NULL)
@@ -1013,10 +1017,10 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
1013	/* This will send packets using the "optimized" format when	1017	/* This will send packets using the "optimized" format when
1014	* possibile as specified in section 3.4.2.6 of the	1018	* possibile as specified in section 3.4.2.6 of the
1015	* CIPSO draft. */	1019	* CIPSO draft. */
1016	if (cipso_v4_rbm_optfmt && (ret_val > 0 && ret_val < 10))	1020	if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)
1017	ret_val = 10;	1021	buf_len = 14;
1018		1022	else
1019	buf_len = 4 + ret_val;	1023	buf_len = 4 + ret_val;
1020	} else {	1024	} else {
1021	buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC);	1025	buf = kzalloc(CIPSO_V4_HDR_LEN + 4, GFP_ATOMIC);
1022	if (buf == NULL)	1026	if (buf == NULL)
@@ -1070,7 +1074,7 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
1070	if (ret_val != 0)	1074	if (ret_val != 0)
1071	return ret_val;	1075	return ret_val;
1072	secattr->mls_lvl = level;	1076	secattr->mls_lvl = level;
1073	secattr->mls_lvl_vld = 1;	1077	secattr->flags \|= NETLBL_SECATTR_MLS_LVL;
1074		1078
1075	if (tag_len > 4) {	1079	if (tag_len > 4) {
1076	switch (doi_def->type) {	1080	switch (doi_def->type) {
@@ -1094,8 +1098,10 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
1094	if (ret_val < 0) {	1098	if (ret_val < 0) {
1095	kfree(secattr->mls_cat);	1099	kfree(secattr->mls_cat);
1096	return ret_val;	1100	return ret_val;
		1101	} else if (ret_val > 0) {
		1102	secattr->mls_cat_len = ret_val;
		1103	secattr->flags \|= NETLBL_SECATTR_MLS_CAT;
1097	}	1104	}
1098	secattr->mls_cat_len = ret_val;
1099	}	1105	}
1100		1106
1101	return 0;	1107	return 0;


diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index ff971103fd0c..da2f1975a042 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c
@@ -62,6 +62,9 @@ int netlbl_socket_setattr(const struct socket *sock,
62	int ret_val = -ENOENT;	62	int ret_val = -ENOENT;
63	struct netlbl_dom_map *dom_entry;	63	struct netlbl_dom_map *dom_entry;
64		64
		65	if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0)
		66	return -ENOENT;
		67
65	rcu_read_lock();	68	rcu_read_lock();
66	dom_entry = netlbl_domhsh_getentry(secattr->domain);	69	dom_entry = netlbl_domhsh_getentry(secattr->domain);
67	if (dom_entry == NULL)	70	if (dom_entry == NULL)
@@ -200,7 +203,7 @@ void netlbl_cache_invalidate(void)
200	int netlbl_cache_add(const struct sk_buff *skb,	203	int netlbl_cache_add(const struct sk_buff *skb,
201	const struct netlbl_lsm_secattr *secattr)	204	const struct netlbl_lsm_secattr *secattr)
202	{	205	{
203	if (secattr->cache == NULL)	206	if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0)
204	return -ENOMSG;	207	return -ENOMSG;
205		208
206	if (CIPSO_V4_OPTEXIST(skb))	209	if (CIPSO_V4_OPTEXIST(skb))


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 408820486af0..1f5bbb246d28 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -2254,8 +2254,6 @@ static void selinux_netlbl_cache_add(struct sk_buff skb, struct context ctx)
2254	cache = kzalloc(sizeof(*cache), GFP_ATOMIC);	2254	cache = kzalloc(sizeof(*cache), GFP_ATOMIC);
2255	if (cache == NULL)	2255	if (cache == NULL)
2256	goto netlbl_cache_add_return;	2256	goto netlbl_cache_add_return;
2257	secattr.cache->free = selinux_netlbl_cache_free;
2258	secattr.cache->data = (void *)cache;
2259		2257
2260	cache->type = NETLBL_CACHE_T_MLS;	2258	cache->type = NETLBL_CACHE_T_MLS;
2261	if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,	2259	if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
@@ -2268,6 +2266,10 @@ static void selinux_netlbl_cache_add(struct sk_buff skb, struct context ctx)
2268	cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;	2266	cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
2269	cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;	2267	cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
2270		2268
		2269	secattr.cache->free = selinux_netlbl_cache_free;
		2270	secattr.cache->data = (void *)cache;
		2271	secattr.flags = NETLBL_SECATTR_CACHE;
		2272
2271	netlbl_cache_add(skb, &secattr);	2273	netlbl_cache_add(skb, &secattr);
2272		2274
2273	netlbl_cache_add_return:	2275	netlbl_cache_add_return:
@@ -2313,7 +2315,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2313		2315
2314	POLICY_RDLOCK;	2316	POLICY_RDLOCK;
2315		2317
2316	if (secattr->cache) {	2318	if (secattr->flags & NETLBL_SECATTR_CACHE) {
2317	cache = NETLBL_CACHE(secattr->cache->data);	2319	cache = NETLBL_CACHE(secattr->cache->data);
2318	switch (cache->type) {	2320	switch (cache->type) {
2319	case NETLBL_CACHE_T_SID:	2321	case NETLBL_CACHE_T_SID:
@@ -2346,7 +2348,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2346	default:	2348	default:
2347	goto netlbl_secattr_to_sid_return;	2349	goto netlbl_secattr_to_sid_return;
2348	}	2350	}
2349	} else if (secattr->mls_lvl_vld) {	2351	} else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
2350	ctx = sidtab_search(&sidtab, base_sid);	2352	ctx = sidtab_search(&sidtab, base_sid);
2351	if (ctx == NULL)	2353	if (ctx == NULL)
2352	goto netlbl_secattr_to_sid_return;	2354	goto netlbl_secattr_to_sid_return;
@@ -2355,7 +2357,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
2355	ctx_new.role = ctx->role;	2357	ctx_new.role = ctx->role;
2356	ctx_new.type = ctx->type;	2358	ctx_new.type = ctx->type;
2357	mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl);	2359	mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl);
2358	if (secattr->mls_cat) {	2360	if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
2359	if (mls_import_cat(&ctx_new,	2361	if (mls_import_cat(&ctx_new,
2360	secattr->mls_cat,	2362	secattr->mls_cat,
2361	secattr->mls_cat_len,	2363	secattr->mls_cat_len,
@@ -2414,11 +2416,13 @@ static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
2414		2416
2415	netlbl_secattr_init(&secattr);	2417	netlbl_secattr_init(&secattr);
2416	rc = netlbl_skbuff_getattr(skb, &secattr);	2418	rc = netlbl_skbuff_getattr(skb, &secattr);
2417	if (rc == 0)	2419	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
2418	rc = selinux_netlbl_secattr_to_sid(skb,	2420	rc = selinux_netlbl_secattr_to_sid(skb,
2419	&secattr,	2421	&secattr,
2420	base_sid,	2422	base_sid,
2421	sid);	2423	sid);
		2424	else
		2425	*sid = SECSID_NULL;
2422	netlbl_secattr_destroy(&secattr);	2426	netlbl_secattr_destroy(&secattr);
2423		2427
2424	return rc;	2428	return rc;
@@ -2455,7 +2459,6 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
2455	secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],	2459	secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
2456	GFP_ATOMIC);	2460	GFP_ATOMIC);
2457	mls_export_lvl(ctx, &secattr.mls_lvl, NULL);	2461	mls_export_lvl(ctx, &secattr.mls_lvl, NULL);
2458	secattr.mls_lvl_vld = 1;
2459	rc = mls_export_cat(ctx,	2462	rc = mls_export_cat(ctx,
2460	&secattr.mls_cat,	2463	&secattr.mls_cat,
2461	&secattr.mls_cat_len,	2464	&secattr.mls_cat_len,
@@ -2464,6 +2467,10 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
2464	if (rc != 0)	2467	if (rc != 0)
2465	goto netlbl_socket_setsid_return;	2468	goto netlbl_socket_setsid_return;
2466		2469
		2470	secattr.flags \|= NETLBL_SECATTR_DOMAIN \| NETLBL_SECATTR_MLS_LVL;
		2471	if (secattr.mls_cat)
		2472	secattr.flags \|= NETLBL_SECATTR_MLS_CAT;
		2473
2467	rc = netlbl_socket_setattr(sock, &secattr);	2474	rc = netlbl_socket_setattr(sock, &secattr);
2468	if (rc == 0)	2475	if (rc == 0)
2469	sksec->nlbl_state = NLBL_LABELED;	2476	sksec->nlbl_state = NLBL_LABELED;
@@ -2564,6 +2571,7 @@ void selinux_netlbl_sock_graft(struct sock sk, struct socket sock)
2564		2571
2565	netlbl_secattr_init(&secattr);	2572	netlbl_secattr_init(&secattr);
2566	if (netlbl_sock_getattr(sk, &secattr) == 0 &&	2573	if (netlbl_sock_getattr(sk, &secattr) == 0 &&
		2574	secattr.flags != NETLBL_SECATTR_NONE &&
2567	selinux_netlbl_secattr_to_sid(NULL,	2575	selinux_netlbl_secattr_to_sid(NULL,
2568	&secattr,	2576	&secattr,
2569	SECINITSID_UNLABELED,	2577	SECINITSID_UNLABELED,
@@ -2756,7 +2764,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
2756	sksec->nlbl_state == NLBL_LABELED) {	2764	sksec->nlbl_state == NLBL_LABELED) {
2757	netlbl_secattr_init(&secattr);	2765	netlbl_secattr_init(&secattr);
2758	rc = netlbl_socket_getattr(sock, &secattr);	2766	rc = netlbl_socket_getattr(sock, &secattr);
2759	if (rc == 0 && (secattr.cache \|\| secattr.mls_lvl_vld))	2767	if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
2760	rc = -EACCES;	2768	rc = -EACCES;
2761	netlbl_secattr_destroy(&secattr);	2769	netlbl_secattr_destroy(&secattr);
2762	}	2770	}