diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2006-02-05 02:27:50 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-02-05 14:06:52 -0500 |
commit | c2b507fda390b8ae90deba9b8cdc3fe727482193 (patch) | |
tree | 6c839e9682fd1610dc6a9fb7cca9df2899ff05ca | |
parent | 5c0d5d262aa4c5e93f9f5de298cf25d6d8b558c4 (diff) |
[PATCH] selinux: require SECURITY_NETWORK
Make SELinux depend on SECURITY_NETWORK (which depends on SECURITY), as it
requires the socket hooks for proper operation even in the local case.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | security/selinux/Kconfig | 2 | ||||
-rw-r--r-- | security/selinux/Makefile | 4 | ||||
-rw-r--r-- | security/selinux/hooks.c | 21 |
3 files changed, 5 insertions, 22 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index b59582b92283..502f78f13f5f 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig | |||
@@ -1,6 +1,6 @@ | |||
1 | config SECURITY_SELINUX | 1 | config SECURITY_SELINUX |
2 | bool "NSA SELinux Support" | 2 | bool "NSA SELinux Support" |
3 | depends on SECURITY && NET && INET | 3 | depends on SECURITY_NETWORK && NET && INET |
4 | default n | 4 | default n |
5 | help | 5 | help |
6 | This selects NSA Security-Enhanced Linux (SELinux). | 6 | This selects NSA Security-Enhanced Linux (SELinux). |
diff --git a/security/selinux/Makefile b/security/selinux/Makefile index 06d54d9d20a5..688c0a267b62 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile | |||
@@ -4,9 +4,7 @@ | |||
4 | 4 | ||
5 | obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/ | 5 | obj-$(CONFIG_SECURITY_SELINUX) := selinux.o ss/ |
6 | 6 | ||
7 | selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o | 7 | selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o |
8 | |||
9 | selinux-$(CONFIG_SECURITY_NETWORK) += netif.o | ||
10 | 8 | ||
11 | selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o | 9 | selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o |
12 | 10 | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4ae834d89bce..b7773bf68efa 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -232,7 +232,6 @@ static void superblock_free_security(struct super_block *sb) | |||
232 | kfree(sbsec); | 232 | kfree(sbsec); |
233 | } | 233 | } |
234 | 234 | ||
235 | #ifdef CONFIG_SECURITY_NETWORK | ||
236 | static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) | 235 | static int sk_alloc_security(struct sock *sk, int family, gfp_t priority) |
237 | { | 236 | { |
238 | struct sk_security_struct *ssec; | 237 | struct sk_security_struct *ssec; |
@@ -261,7 +260,6 @@ static void sk_free_security(struct sock *sk) | |||
261 | sk->sk_security = NULL; | 260 | sk->sk_security = NULL; |
262 | kfree(ssec); | 261 | kfree(ssec); |
263 | } | 262 | } |
264 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
265 | 263 | ||
266 | /* The security server must be initialized before | 264 | /* The security server must be initialized before |
267 | any labeling or access decisions can be provided. */ | 265 | any labeling or access decisions can be provided. */ |
@@ -2736,8 +2734,6 @@ static void selinux_task_to_inode(struct task_struct *p, | |||
2736 | return; | 2734 | return; |
2737 | } | 2735 | } |
2738 | 2736 | ||
2739 | #ifdef CONFIG_SECURITY_NETWORK | ||
2740 | |||
2741 | /* Returns error only if unable to parse addresses */ | 2737 | /* Returns error only if unable to parse addresses */ |
2742 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) | 2738 | static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct avc_audit_data *ad) |
2743 | { | 2739 | { |
@@ -3556,15 +3552,6 @@ static unsigned int selinux_ipv6_postroute_last(unsigned int hooknum, | |||
3556 | 3552 | ||
3557 | #endif /* CONFIG_NETFILTER */ | 3553 | #endif /* CONFIG_NETFILTER */ |
3558 | 3554 | ||
3559 | #else | ||
3560 | |||
3561 | static inline int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) | ||
3562 | { | ||
3563 | return 0; | ||
3564 | } | ||
3565 | |||
3566 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
3567 | |||
3568 | static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | 3555 | static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) |
3569 | { | 3556 | { |
3570 | struct task_security_struct *tsec; | 3557 | struct task_security_struct *tsec; |
@@ -4340,7 +4327,6 @@ static struct security_operations selinux_ops = { | |||
4340 | .getprocattr = selinux_getprocattr, | 4327 | .getprocattr = selinux_getprocattr, |
4341 | .setprocattr = selinux_setprocattr, | 4328 | .setprocattr = selinux_setprocattr, |
4342 | 4329 | ||
4343 | #ifdef CONFIG_SECURITY_NETWORK | ||
4344 | .unix_stream_connect = selinux_socket_unix_stream_connect, | 4330 | .unix_stream_connect = selinux_socket_unix_stream_connect, |
4345 | .unix_may_send = selinux_socket_unix_may_send, | 4331 | .unix_may_send = selinux_socket_unix_may_send, |
4346 | 4332 | ||
@@ -4362,7 +4348,6 @@ static struct security_operations selinux_ops = { | |||
4362 | .sk_alloc_security = selinux_sk_alloc_security, | 4348 | .sk_alloc_security = selinux_sk_alloc_security, |
4363 | .sk_free_security = selinux_sk_free_security, | 4349 | .sk_free_security = selinux_sk_free_security, |
4364 | .sk_getsid = selinux_sk_getsid_security, | 4350 | .sk_getsid = selinux_sk_getsid_security, |
4365 | #endif | ||
4366 | 4351 | ||
4367 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | 4352 | #ifdef CONFIG_SECURITY_NETWORK_XFRM |
4368 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, | 4353 | .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, |
@@ -4440,7 +4425,7 @@ next_sb: | |||
4440 | all processes and objects when they are created. */ | 4425 | all processes and objects when they are created. */ |
4441 | security_initcall(selinux_init); | 4426 | security_initcall(selinux_init); |
4442 | 4427 | ||
4443 | #if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER) | 4428 | #if defined(CONFIG_NETFILTER) |
4444 | 4429 | ||
4445 | static struct nf_hook_ops selinux_ipv4_op = { | 4430 | static struct nf_hook_ops selinux_ipv4_op = { |
4446 | .hook = selinux_ipv4_postroute_last, | 4431 | .hook = selinux_ipv4_postroute_last, |
@@ -4501,13 +4486,13 @@ static void selinux_nf_ip_exit(void) | |||
4501 | } | 4486 | } |
4502 | #endif | 4487 | #endif |
4503 | 4488 | ||
4504 | #else /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ | 4489 | #else /* CONFIG_NETFILTER */ |
4505 | 4490 | ||
4506 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | 4491 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE |
4507 | #define selinux_nf_ip_exit() | 4492 | #define selinux_nf_ip_exit() |
4508 | #endif | 4493 | #endif |
4509 | 4494 | ||
4510 | #endif /* CONFIG_SECURITY_NETWORK && CONFIG_NETFILTER */ | 4495 | #endif /* CONFIG_NETFILTER */ |
4511 | 4496 | ||
4512 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE | 4497 | #ifdef CONFIG_SECURITY_SELINUX_DISABLE |
4513 | int selinux_disable(void) | 4498 | int selinux_disable(void) |